2023/01/09
That a directory service doesn’t necessarily provide authentication: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/what-is-a-directory-service describes a directory service as a document database optimized for searches of a hierarchical (directory) tree.
[Directory] entries are arranged hierarchically in a tree that is structured geographically and organizationally. Global entries, such as countries/regions, reside at the top of the tree, followed by state or national organizations, then organizational units, people, devices, or anything else that might be represented in a directory.
A directory entry is represented by its entry name, or relative distinguished name (RDN), and by its distinguished name (DN). The DN uniquely identifies each entry on a global level, and is derived by concatenating the RDN of an entry with the RDN of each of its ancestor entries.
The LDAP API provides functions that allow LDAP client applications to search for and retrieve information from an LDAP directory server … There are also [LDAP APIs] that provide access control for servers, by allowing clients to authenticate themselves.
Binding is the step where the LDAP server authenticates the client and, if the client is successfully authenticated, allows the client access to the LDAP server based on that client’s privileges.
To summarize:
- a directory is an ontological tree of people, places, organizations, and phyiscal things
- LDAP is a protocol for searching a directory
- LDAP is used for access control (password-only authentication) if the human directory entries have passwords as an attribute.