The directory service of the open source world
OpenLDAP is the reference open source implementation of the LDAPv3 (Lightweight Directory Access Protocol) protocol. The project was founded in 1998 as an evolution of the LDAP code developed at the University of Michigan and provides a complete directory service for the centralised management of identities, credentials and access policies.
The current version, OpenLDAP 2.2, introduces significant improvements in performance, replication and storage backend flexibility. On Linux, FreeBSD and Solaris infrastructures, OpenLDAP is the component that centralises authentication where Active Directory is not present.
The data model: schema and DIT
An LDAP directory organises information in a hierarchical tree structure called the DIT (Directory Information Tree). Each node in the tree is an entry, uniquely identified by its DN (Distinguished Name) — for example, uid=jsmith,ou=people,dc=example,dc=com.
The schema defines the object classes and permitted attributes: an entry of type inetOrgPerson will contain attributes such as cn, mail, userPassword. The schema is extensible: organisations can define custom classes and attributes to model specific structures.
The LDAP protocol is optimised for reads: directory services handle workloads where search operations outnumber write operations by orders of magnitude. This characteristic makes them ideal for authentication, where every login generates a read but credential changes are infrequent.
Backends and overlays
OpenLDAP separates the protocol engine from the storage system through a backend architecture. The default backend is BDB (Berkeley DB), which provides ACID transactions and crash recovery. Alternatives such as LDBM and SQL allow the storage layer to be adapted to specific requirements.
Overlays are modules that insert themselves into the request processing pipeline, modifying server behaviour without altering the backend. The syncrepl overlay implements content replication between servers, enabling multi-master and provider-consumer architectures. The ppolicy overlay manages password policies — expiration, complexity, account lockout — directly within the directory.
Centralised authentication
OpenLDAP’s primary use case is the centralisation of authentication. Operating systems, mail servers, web applications and VPNs can verify user credentials by querying a single directory, eliminating the duplication of accounts and passwords across different systems.
Integration is achieved through PAM (Pluggable Authentication Modules) on Unix systems, SASL for secure authentication and application-specific modules for software such as Apache, Postfix and Squid. Native TLS support protects communications between client and server, securing credential transit across the network.
In a heterogeneous infrastructure, OpenLDAP is the connective tissue of identity: a single management point for users, groups and permissions that crosses the boundaries between operating systems and applications.