LDAP, ADAM and AD LDS : Key concepts

LDAP

Lightweight Directory Access Protocol (LDAP) is a protocol for accessing information directories such as organizations, individuals, phone numbers, and addresses. LDAP is a centralized and standardized system that automates network management of user data, security, and distributed resources. With LDAP, users can access resources anywhere on the network with a single logon. System Administrators have a single point of administration for all objects on the network, which can be viewed in a hierarchical structure. LDAP also supports TCP/IP which is necessary for any type of Internet access.

A typical LDAP server is a simple network-accessible database where an organization stores information about its authorized users and what privileges each user has. Thus rather than create an account for a new employee on 50 different computers, the new employee is entered into LDAP and granted rights to those 50 systems. If the employee leaves, revoking all privileges is as simple as removing one entry in the LDAP directory.

Why is LDAP important to IMPAX?

IMPAX is a web delivered application – requiring a method to allow user and preference information to be portable. Storing the information locally in configuration files or in a database does not allow enough flexibility in storing data to be properly web delivered.

LDAP systems are optimized for reading, resulting in a high number of authentications per second—something that a typical database would not be able to match. With the web deployed unified Client in IMPAX, it is very important for the authentication source to be scalable to many thousands of users, where many attempts to authenticate can occur each second. LDAP provides exactly the kind of centralized directory services that are required by organizations large and small.

In IMPAX, you can define a hierarchy of roles and users. All users belong to a role. Items such as licensing, permissions, and preferences are defined at a role level, and all users within that role inherit those settings. LDAP is the chosen technology for storing these settings along with user-related preferences. This ensures access to user and preference information no matter where the users may be located. All that is needed is a TCP/IP connection to the hospital’s servers.

ADAM/AD LDS

Active Directory Application Mode (ADAM) is the directory service on systems using Windows Server 2003, while Active Directory Lightweight Directory Service (AD LDS) is the directory service on systems using Windows Server 2008. ADAM/AD LDS and LDAP can operate concurrently within the same network, but ADAM/AD LDS serve the requirements of a specific application. Multiple instances of ADAM/AD LDS, each supporting a separate application, can run on a single ADAM/AD LDS installation.

There is a common framework for both the network operating system services of LDAP and the application services of ADAM/AD LDS. This means that an application with ADAM/AD LDS can use its own directory services, or it may be configured to work with an existing LDAP directory services. To increase application security, ADAM/AD LDS can use Windows security principals for authentication and access control.

How IMPAX uses ADAM/AD LDS?

IMPAX is an application that includes its own directory services. ADAM/AD LDS is installed on the Application Server, and is responsible for maintaining the IMPAX Client user login and privilege information. The Application Server must be configured to connect to the ADAM/LDS instance before IMPAX Clients can be connected. If the site already has a domain controller with LDAP, IMPAX can be connected to the external domain controller.