Before proceeding, a brief explanation of LDAP is required. Lightweight Directory Access Protocol (LDAP) is a directory service that can be used to store almost anything. In this way, it is very similar to a database. However, it is designed to store only small amounts of data, and is optimized for quick searching of records. A perfect example of an application for which LDAP is suited is a PKI environment. This type of environment stores only minimal amount of information and is designed to be accessed quickly.
The easiest way to explain the structure of LDAP is to imagine it as a tree. Each LDAP directory starts with a root entry. From this entry others branch out, and from each of these branches are more branches, each with the ability to store a bit of information. A sample LDAP tree is shown in Figure 17-1.
Another critical difference between LDAP and regular databases is that LDAP is designed for interoperability. LDAP uses predefined schemas, or sets of data that map out specific trees. The X.500 structure is outlined by RFC 2253 and contains the following entries:
String X.500 AttributeType ------------------------------ CN commonName L localityName ST stateOrProvinceName O organizationName OU organizationalUnitName C countryName STREET streetAddress DC domainComponent UID userid
Another useful schema is inetOrgPerson. It is designed to represent people within an organizational structure and contains values such as telephone numbers, addresses, user IDs, and even employee photos.
LDAP entries are stored in the directory as Relative Distinguished Names (RDN), and individual entries are referred to by their Distinguished Names (DN). For example, the user Bob Jones might have an RDN of:
cn=BobJones
And his DN might look like this:
c=us,st=California,o=VirtualBrewery,ou=Engineering,cn=BobJones
While this section barely scratches the surface of the entirety of LDAP, it serves as the necessary background to install and operate OpenLDAP. For a more detailed look at LDAP, consult RFC 2251, "The Lightweight Directory Access Protocol (v3)."