I’ve been talking a lot about LDAP here lately; as I promised, here’s more of an explanation.

LDAP stands for “Lightweight Directory Access Protocol”, which I’m sure makes it perfectly understandable right there (just kidding!) Strictly speaking, there isn’t any such thing as “an LDAP database”; any database could work, provided that it is tuned for very fast retrieval of information, and can be accessed using the standardized methods of LDAP. It is these standard methods that make LDAP special, and the data retrieval speed that makes it useful.

Because computers can’t do magic, a database has to give up something else in order to get very fast retrieval speeds; databases that work with LDAP generally sacrifice speed of updates. This is not really much of a problem since LDAP is designed to work with data that is not constantly changing. LDAP is ideal for storing lists of objects where each object has similar pieces of information that don’t change very often; for instance, all user accounts have a username, password, first and last name, ID number, email address, telephone number, etc. That’s where the name comes from:
Lightweight – it is quicker and easier to use than previous methods.
Directory – it works with information stored in lists, much like a phone directory.
Access – its primary purpose is to access data as opposed to changing it.
Protocol – it is a standard set of methods.
We use our LDAP database mainly to store user account information. Originally, only our email server stored accounts in the LDAP database, but as part of the migration, we are consolidating most of our user accounts for various systems into a few LDAP databases that synchronize with each other. Because LDAP provides standard methods to access data, many different programs and systems can use the same database of user accounts. This is what enables us to use the same password for email, network, FTP, forums, and other systems; they all refer to the LDAP database to check your password and other information.
LDAP provides good security as well; your password is encrypted so that even we can’t see it. That is why our account lookup system can only change your password, and not tell you what it is. Note that this system depends on your ID number being stored in the LDAP database as well, in order to verify that you are the owner of the account; a few people still don’t have their numbers in the system, so if you try the account lookup and it doesn’t recognize you, please contact the UCS service request desk and let them know your name and ID number so we can get your account fixed.
LDAP makes our jobs as system administrators easier, too; before, we had to create multiple accounts for every new person that came onto campus, but now things are much simpler. We don’t have to set up a separate login system for every web-database application anymore, since our Oracle database server can access the LDAP database for logins. And we don’t have to ask you quite as many questions if there’s some sort of login problem, because there are fewer user databases where a problem might exist.
As time goes by, more and more systems will be converted to use LDAP; for instance, this blog server, the purchase request system, and the Physical Plant service request system. Also, when we roll out our new WOU portal, it will also use the LDAP database, so you won’t have to create a new account and remember a new password in order to use it.
Hopefully this has cleared things up a bit! If you want to know more, please contact me or comment on this entry. As usual, Wikipedia has more, in this article.