How LDAP is Used for Authentication and Authorization in Lion Server

By John Rizzo

In most modern network directories such as Mac OS X Lion Server, LDAP (Lightweight Directory Access Protocol) defines how clients communicate with the directory over TCP/IP networks. Computers use LDAP to read and edit information in LDAP-compatible directories. (The LDAP Data Interchange Format, LDIF defines how data is stored in the LDAP database.)

The LDAP search base tells the client where to start looking for data within the directory — usually account information.

LDAP also has a role to play with the Password Server database. When you authenticate against a shared directory in Mac OS X Server, you’re telling LDAP who you are, but Password Server checks your password to verify your identity. Kerberos authentication does not use the Password Server.

Authentication proves who you are with your username and password credentials. Authorization is what you can do after authentication, such as accessing file sharing or viewing your e-mail inbox. Kerberos is an authentication protocol. LDAP can be used for both authentication and authorization.

The other directories that Open Directory is compatible with are also LDAP-compatible directories. These include Active Directory, eDirectory, and others.