English Persian
indexterm:[directory server,OpenLDAP]indexterm:[LDAP,OpenLDAP]indexterm:[X.500,OpenLDAP]indexterm:[X.500 Lite,OpenLDAP] `LDAP` (Lightweight Directory Access Protocol) is a set of open protocols used to access centrally stored information over a network. It is based on the `X.500` standard for directory sharing, but is less complex and resource-intensive. For this reason, LDAP is sometimes referred to as "X.500 Lite".
Like X.500, LDAP organizes information in a hierarchical manner using directories. These directories can store a variety of information such as names, addresses, or phone numbers, and can even be used in a manner similar to the _Network Information Service_ (*NIS*), enabling anyone to access their account from any machine on the LDAP enabled network.
LDAP is commonly used for centrally managed users and groups, user authentication, or system configuration. It can also serve as a virtual phone directory, allowing users to easily access contact information for other users. Additionally, it can refer a user to other LDAP servers throughout the world, and thus provide an ad-hoc global repository of information. However, it is most frequently used within individual organizations such as universities, government departments, and private companies.
This section covers the installation and configuration of [application]*OpenLDAP 2.4*, an open source implementation of the LDAPv2 and LDAPv3 protocols.
Introduction to LDAP
Using a client-server architecture, LDAP provides a reliable means to create a central information directory accessible from the network. When a client attempts to modify information within this directory, the server verifies the user has permission to make the change, and then adds or updates the entry as requested. To ensure the communication is secure, the _Transport Layer Security_ (*TLS*) cryptographic protocol can be used to prevent an attacker from intercepting the transmission.
Using Mozilla NSS
The OpenLDAP suite in {MAJOROSVER} no longer uses OpenSSL. Instead, it uses the Mozilla implementation of _Network Security Services_ (*NSS*). OpenLDAP continues to work with existing certificates, keys, and other TLS configuration. For more information on how to configure it to use Mozilla certificate and key database, see [citetitle]_link:++http://www.openldap.org/faq/index.cgi?file=1514++[How do I use TLS/SSL with Mozilla NSS]_.
The LDAP server supports several database systems, which gives administrators the flexibility to choose the best suited solution for the type of information they are planning to serve. Because of a well-defined client _Application Programming Interface_ (*API*), the number of applications able to communicate with an LDAP server is numerous, and increasing in both quantity and quality.
====== LDAP Terminology
The following is a list of LDAP-specific terms that are used within this chapter:
indexterm:[OpenLDAP,terminology,entry] entry
A single unit within an LDAP directory. Each entry is identified by its unique _Distinguished Name_ (*DN*).
indexterm:[OpenLDAP,terminology,attribute] attribute
Information directly associated with an entry. For example, if an organization is represented as an LDAP entry, attributes associated with this organization might include an address, a fax number, etc. Similarly, people can be represented as entries with common attributes such as personal telephone number or email address.
An attribute can either have a single value, or an unordered space-separated list of values. While certain attributes are optional, others are required. Required attributes are specified using the [option]`objectClass` definition, and can be found in schema files located in the `/etc/openldap/slapd.d/cn=config/cn=schema/` directory.
The assertion of an attribute and its corresponding value is also referred to as a _Relative Distinguished Name_ (*RDN*). Unlike distinguished names that are unique globally, a relative distinguished name is only unique per entry.
indexterm:[OpenLDAP,terminology,LDIF] LDIF
The _LDAP Data Interchange Format_ (*LDIF*) is a plain text representation of an LDAP entry. It takes the following form: +
pass:quotes[_id_] dn: pass:quotes[_distinguished_name_]
pass:quotes[_attribute_type_]: pass:quotes[_attribute_value_]…
pass:quotes[_attribute_type_]: pass:quotes[_attribute_value_]…

The optional _id_ is a number determined by the application that is used to edit the entry. Each entry can contain as many _attribute_type_ and _attribute_value_ pairs as needed, as long as they are all defined in a corresponding schema file. A blank line indicates the end of an entry.