IBM Directory Server for IBM i (LDAP)

Directory Services (LDAP)

A Lightweight Directory Access Protocol (LDAP) server is available as part of IBM i in the product called 'Directory Services for IBM i'. The server provides a network directory which can be accessed by network clients using the LDAP protocol.

Lightweight Directory Access Protocol (LDAP), an Internet protocol for accessing directories, may help you with your directory problems. LDAP is an open industry standard that has evolved to meet the needs for accessing and updating information in directories. LDAP is gaining wide acceptance as the directory access method of the Internet and is therefore also becoming strategic within corporate intranets. It is supported by a growing number of software vendors and is being incorporated into a growing number of applications. IBM has already delivered LDAP support for IBM i, AIX, OS/390, NT and Windows.

What is a Directory?

A directory is a listing of information about objects arranged in some order that gives details about each object. Common examples are a city telephone directory and a library card catalog. In computer terms, a directory is a specialized database, also called a data repository, that stores typed and ordered information about objects. Directories allow users or applications to find resources that have the characteristics needed for a particular task. For example, a directory of users can be used to look up a person's e-mail address or fax number. A directory could be searched to find a nearby PostScript color printer. Or a directory of application servers could be searched to find a server that can access customer billing information. Searching a directory is similar to looking up a name in the white or yellow pages of a telephone directory. If the name of a particular individual object is not known, the directory can be searched for a list of objects that meet a certain requirement. However, directories stored on a computer are much more flexible than the yellow pages of a telephone directory because they can usually be searched by specific criteria, not just by a predefined set of categories.

Although directories may of originally been used for databases of personal information, such as a telephone number or e-mail address, the number of directory applications has recently increased considerably. Directories are now being used to hold all of the information about a person and are being used for authenticating a user to network services. Systems management applications have recently started exploiting the directory for profile-based management of system resources, such as bandwidth utilization of a network.

What is LDAP?

In 1988, the CCITT (Consultative Committee on International Telephony and Telegraphy), created the X.500 standard, which became ISO 9594, Data Communications Network Directory, Recommendations X.500-X.521 in 1990, though it is still commonly referred to as X.500. X.500 organizes directory entries in a hierarchical name space capable of supporting large amounts of information and specifies that communication between the directory client and the directory server uses the directory access protocol (DAP). However, as an application layer protocol, the DAP requires the entire OSI protocol stack to operate. Supporting the OSI protocol stack requires more resources than available in many small environments.

Therefore, an interface to an X.500 directory server using a less resource-intensive or lightweight protocol was desired. LDAP was developed at the University of Michigan as a lightweight alternative to DAP (thus the name LDAP). LDAP requires the lighter weight and more popular TCP/IP protocol stack rather than the OSI protocol stack. LDAP also simplifies some X.500 operations and omits some esoteric features.

LDAP defines a communication protocol. That is, it defines the transport and format of messages used by a client to access data in an X.500-like directory. LDAP does not define the directory service itself. However, when referring to a directory that can be accessed using LDAP, the directory is usually called an LDAP directory. Therefore, LDAP directories can be implemented in many different ways. IBM implements cross platform LDAP directories using DB2 and Lotus Domino.

An LDAP client is a software application that accesses an LDAP server using a TCP/IP connection. The client accesses the LDAP directory using an industry standard API, such as the LDAP C API, and does not need to know how the LDAP server stores the information. A client may log on anonymously to an LDAP server, thus seeing only 'public' information, or authenticate as a specific user in which case information to which that particular user is allowed access is also made visible.

LDAP, which has become the Internet standard for directory operations, is starting to replace the more familiar HTTP in some Internet applications. An Internet URL may specify the address of an LDAP server, instead of an HTTP server. When specifying an LDAP URL, parameters can be specified to perform searches of the directory. For example, using a web browser you can search a directory to display personal information by specifying:

Ldap://ldap_server/c=rochester,o=ibm??sub?(cn=John Smith)

LDAP directories may be located on a single server or configured across multiple servers. LDAP servers can replicate information between servers, making information more accessible. Synchronization of LDAP directories with non-LDAP directories provides for a 'meta-directory' and a consistent method for all directory access. You can deploy applications that provide the synchronization, thus extending your LDAP directory to meet your specific needs.

Support of LDAP

Since V4R3, LDAP has been included free in IBM i as part of Directory Services for IBM i (option 32). Directory Services includes an LDAP server and complete set of LDAP clients and utilities.

The LDAP server uses DB2/400 for storing the directory information and is configured using Operations Navigator for i.

The IBM i LDAP client supports accessing any LDAP server from all IBM i ILE programming languages; C, COBOL and RPG. An LDAP client for Windows is included with IBM i Client Access and a Java client is included in IBM i's support of Java Naming and Directory (JNDI).

Command line utilities are provided for accessing an LDAP server from Windows and IBM i. These utilities are compatible with LDAP utilities provided for other operating systems and allow you to search, add, modify and delete directory information.

LDAP is the standard for Internet directories in a heterogeneous network. Regardless of the directory's implementation, LDAP provides applications with a consistent view and access method for information in the network. Initially LDAP directories focused on personal information such as names and addresses, but LDAP directories are becoming the foundation for network operating systems and systems management. As shown here, you can use IBM i support of LDAP in your network to simplify access to information.