Lightweight Directory Access Protocol (LDAP)

Product Overview

The Lightweight Directory Access Protocol (LDAP) is a standard Internet protocol for accessing and modifying directory information across a network. This protocol is specifically targeted at management and browser applications that provide read/write interactive access to directories. When used with a directory supporting the X.500 Directory Access Protocol (DAP), it is intended to be a complement to the X.500 DAP.

Within the LDAP protocol, clients and servers exist. LDAP enables clients to access and modify directories stored on servers. The server side of LDAP is supported by many current directory products, including Microsoft Active Directory and directory products from Novell and Netscape. The client side of LDAP is supported on ClearPath MCP servers by an MCP Environment library, which is a private server library.

This library, titled *SYSTEM/LDAPSUPPORT (referenced in this guide as LDAPSUPPORT), enables MCP Environment programs to access and modify directory information stored in network directories that support LDAP.

General Features

Authentication Models

The LDAP protocol provides for three authentication models: anonymous authentication, clear text password authentication, and Simple Authentication and Security Layer (SASL) authentication. One variant of SASL authentication is Kerberos V5 authentication encapsulated in Generic Security Service (GSS). Microsoft Active Directory supports this particular variant of SASL authentication.

The ClearPath MCP implementation of the LDAP protocol supports all three of these authentication models, using GSS-encapsulated Kerberos for SASL authentication.

Limitations

LDAP functionality on ClearPath MCP servers supports LDAP as defined only by RFCs 2251 and 2254. Numerous other RFCs provide information needed for full utilization of LDAP, but the ClearPath MCP implementation limits the support for those RFCs as follows:

  • RFC 2252 defines how to parse and interpret attribute value fields of schema entries. The LDAPSUPPORT library simply passes attribute values to the LDAP server without parsing or interpreting the values. Therefore, MCP Environment programs must include their own logic to process attribute value fields in accordance with RFC 2252.

  • The LDAPSUPPORT library simply translates Distinguished Names to and from UTF-8 format. It does not parse them for certain characters such as commas and escape sequences that are allowed by RFC 2253. Programs that invoke LDAPSUPPORT must handle these characters in accordance with RFC 2253 before invoking LDAPSUPPORT.

  • URLs defined by RFC 2255 are not supported by LDAPSUPPORT because of authentication issues. RFC 2255 is nonspecific about what credentials to use when establishing an LDAP session to process a URL that complies with the format rules of RFC 2255.

  • References returned from directory searches are simply passed back through the LDAPSUPPORT library to the program that requested the search. Search results are returned by LDAP servers as RFC 2255 format URLs and are therefore not supported by LDAPSUPPORT, as previously described.

The LDAPSUPPORT library that enables LDAP functionality on ClearPath MCP servers

  • Requires no special privileges because it is a private server library.

  • Provides entry points to construct and send LDAP requests to LDAP servers.

  • Provides translation between UTF-8 and local EBCDIC according to translations available from CENTRALSUPPORT.

  • Can be declared and invoked by ALGOL, COBOL, and C programs.

  • Allows multiple LDAP sessions if multiple declarations of the library are made in the program.

Ordering Information

LDAP is included as part of the operating environment. Source code is not available for this product.

Product Information

Refer to the following documents for more information:

  • Client/Server Applications Development Guide (4310 3274)

  • Lightweight Directory Access Protocol (LDAP) Programming Guide (4310 9438)

Information on LDAP is also available from sources external to Unisys. Books that provide detailed information about implementing LDAP and about programming directory-enabled applications are available at bookstores and on booksellers' Web sites. Additionally, groups such as the Internet Engineering Task Force (IETF) and the Internet FAQs Consortium post Requests for Comments (RFCs) that describe various protocols and features of LDAP.