Oracle Solaris supports LDAP on Oracle Unified Directory (OUD) and OpenLDAP directory servers. However, any generic directory server can function as an LDAP server. In this guide, the terms directory server and LDAP server are synonymous and used interchangeably.
For more information about OUD, see Oracle® Fusion Middleware Administering Oracle Unified Directory. For more information about OpenLDAP, see OpenLDAP Software 2.4 Administrator's Guide.
LDAP has become a term that refers more to the naming service than to the protocol. Throughout this guide, the term LDAP is used to refer to the service rather than to the protocol.
The LDAP naming service is one naming service that is supported in Oracle Solaris. For information about other naming services, see Working With Oracle Solaris 11.4 Directory and Naming Services: DNS and NIS. For a comparison of the different naming services in Oracle Solaris, see Comparing the Naming Services in Working With Oracle Solaris 11.4 Directory and Naming Services: DNS and NIS.
LDAP performs the following services:
Naming service – LDAP provides naming data in accordance with a client request. For example, when resolving host names, LDAP functions like DNS by providing the fully qualified domain names. Suppose that the name of a domain is west.example.net. If an application requests the host name by using gethostbyname() or getnameinfo(), LDAP returns the value server.west.example.net. While LDAP naming service can be used to look up host names, Oracle recommends using DNS to look up host names.
Authentication service – LDAP manages and provides information that relates to client identity, authentication, and accounts. Therefore, LDAP implements security measures to provide information only to authorized requesters.
The LDAP naming service provides the following advantages:
With the replacement of application-specific databases, information is consolidated and the number of distinct databases to manage is reduced.
Different naming services can share data.
Uses a central repository for data.
Performs frequent data synchronization between masters and replicas.
Multiplatform and multi-vendor compatible.
The following restrictions apply to the LDAP naming service:
An LDAP server cannot be its own client.
A client cannot be a client of NIS and LDAP at the same time.
Setting up and managing an LDAP naming service is complex and requires careful planning. For information about planning for LDAP services, see Planning Requirements for LDAP Naming Services.
The LDAP naming service stores information in a directory information tree (DIT). The DIT consists of hierarchically structured containers of information that follow a defined LDAP schema.
The default schema that is followed by most DITs suffices for most networks that use LDAP. However, the DIT is flexible. You can specify search descriptors in the client profile to override the default structure of a DIT. For more information about search descriptors, see Service Search Descriptors and Schema Mapping.
The following table shows the containers of a DIT and the type of information each container stores. For more information, see Directory Information Tree.