LDAP? What is It? why do I need it? How can I use it?

[mossj]

I've noticed alot of web based programs harping on about LDAP and how I can make it so they use our AD Logins... Just one thing how?

Most of our web based programs (MRBS, JOOMLA, GALLERY2, LIMESURVEY, WIKI) are based on a external host, but our exchange box is internal, using AD with a fixed IP so presumably this is what will serve the LDAP. So can I actually use LDAP?

How do you do it, is it enabled by default? do I have to install something? Configure something? I've googled my a** off but can't find any of these basics

[Domino]

LDAP is lightweight directory authentication protocol, and it can be used to use active directory logons for a web app.

Theres a apache add in to allow it to be used, however, if you're talking about getting your externally hosted apps authenticated with it you're out of luck.

You'd need them to have access to your active directory structure on a domain controller, which you'd have to have a domain trust with your external provider to set up.

For internal stuff you can certainly use it - have a look at some of the docs on setting subversion to use ldap auth to get a feel of whats involved with Apache.

[Michael]

LDAP standards for Lightweight Directory Access Protocol and essentially allows applications to use SSO or Single Sign-On, so users use the same username and password as they would to logon to the domain.

LDAP needs to be written into the code of the applications you're using to support it. You can in theory authenticate over the web, however this would mean you'd have to setup your server as public facing, so it'd have to be kept right up-to-date security wise and hosted behind a hardware firewall.

[legsak1mbo]

It's a way of accessing objects and attributes within a directory. For instance many organisations use LDAP as an address book (you probably store email addresses in your Active Directory or equivalent).

Whilst you can perform LDAP connections over SSL (LDAPS) you'd be much better off hosting any LDAP integrated services internally.

[plexer]

I wouldn't think you don't need a domain trust with an outside provider to use ldap only if they were using ntlm or similar to authenticate against your ad.

LDAP looks up the username to see if it's valid and then tries to bind as that user if the bind is a success then the credentials are correct and valid.

Ben

[powdarrmonkey]

A powdarrmonkey analogy: LDAP is like a big phone book; it hold all sorts of information for some type of object, like a user. It's extendable, so you can add your own fields, but it can enforce permission too.

[srochford]

If you want externally hosted stuff to use LDAP to authenticate against your internal AD then you can use ADFS - brief excerpt:

"By employing ADFS, organizations can extend their existing Active Directory infrastructures to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.
ADFS is tightly integrated with Active Directory. ADFS retrieves user attributes from Active Directory, and it authenticates users against Active Directory. ADFS also uses Windows Integrated Authentication."