Applications of LDAP

(apart from the obvious telephone books etc)

1. Authenticating other services

There is a simple way in which you can use LDAP for authenticating other services, using two steps:
  1. Connect to the LDAP server and perform a search to locate the DN of the client's entry
  2. Attempt to bind as that client, using the password provided by the client
If the bind attempt succeeds, you know that the client has successfully authenticated and can permit them to use the service. This has the advantage of hiding the authentication mechanism within the LDAP server itself - e.g. you don't care whether the password is stored as cleartext, or as a crypt() hash, or an MD5 hash, or whatever.

E-mail servers

There are plugins available for qmail-pop3d and other pop3 servers to perform LDAP authentication in this fashion. If you combine this with a mail delivery agent which looks up users in LDAP to determine whether a mailbox exists, the entire mail system can be LDAP-controlled.

[Need some real examples here]


See Sun's Radius to LDAP mapping

2. Replacement for NIS

In other words, a central database which replaces all those /etc/passwd, /etc/group, /etc/hosts files (etc) that you have dotted around.

The standard way of doing this is documented in RFC 2307. There are some examples here.

See for information on the client software libnss and a brief HOWTO.

3. Mailing lists

Mailing lists can be incorporated in an LDAP database using the 'rfc822MailGroup' object.

I can't find an RFC which defines this, but you can find an attribute list in /usr/local/etc/openldap/slapd.oc.conf. As far as I can tell, the following mailing list:

development: fred, jim,
would be represented by the following LDAP entry.
dn: ...
objectclass: top
objectclass: rfc822MailGroup
cn: development
mail: fred
mail: jim
As an alternative schema, script will turn /etc/aliases into nisMailAlias entries. There's also some information in the Sun SIMS documentation

[Need a proper example of how to configure a mailer to expand these]