Why LDAP as a Naming Service?

LDAP has the potential to replace existing application-specific directories and consolidate information. This means that changes made on an LDAP server will take effect for every directory-enabled application that uses this information. Imagine adding a variety of information about a new user through a single interface only once, and immediately the user has a Unix account, a mail address and aliases, membership in departmental mailing lists, access to a restricted Web server, and inclusion in job-specific restricted newsgroups. The user is also instantly included in the company's phone list, mail address book, and meeting calendar system. When a user leaves, access can be disabled for all of these services with just a single operation.

A directory is distinguished from a general-purpose database by the usage pattern. A directory contains information that is often searched but rarely modified. Host names or user names, for example, are assigned once and then looked up thousands of times. LDAP servers are tuned for this type of usage, whereas relational databases are much more geared toward maintaining data that is constantly changing.

A directory can be replicated to protect from unfortunate situations like equipment failure by making the directory data available on multiple servers, known as replica servers. Replicas also improve performance by making more copies of directory data available and by placing the data close to the users and applications that use them.

Reducing load on the authoritative server is not the only reason for using replica servers. Many Unix networks use Network Information Service (NIS), also known as YP, which uses slave servers on each subnet. As with NIS, putting replicas on subnets can avoid network traffic through routers and reduce latency. However, unlike NIS, the LDAP synchronization scheme features incremental updates that can be pushed immediately to the replicas rather than periodically transferring all of the data.

In order for authoritative information to be maintained, access control needs to be imposed for privileges to read, write, search, or compare. Access control can be done on a subtree, entry, or attribute type and granted to individuals, groups, or "self" (which allows an authenticated user to access his or her own entry). This scheme provides a great deal of flexibility. For example, you may want to only allow people in a personnel department to change the title or manager attributes, allow administrative assistants to change office location and pager number information for just their department, and allow individuals to modify their own home phone number, car license plate, and so on. For more information, check the iPlanet directory server documents.

Let's look at Unix login information as an example. Once attributes for users are stored in a directory server, you can synchronize user names and passwords for multiple operating system platforms when updated through Directory Server interface. This not only simplifies the change for users but can reduce the chance of having infrequently used accounts with forgotten passwords.