Directory vs directory service vs naming service vs LDAP vs JNDI

Before I begin, I want to point out that the documentation of ApacheDS does a good job concisely explaining the concepts addressed here, the tutorial Naming and Directory Concepts is also handy. I am adding something extra to explain the concepts—an analogy. Besides, I also want to briefly talk about LDAP authentication and JNDI.

Contents

1. Directory
2. Directory service
3. Naming service
4. Lightweight Directory Access Protocol (LDAP)
   1. LDAP authentication
5. Java Naming and Directory Interface (JNDI)

Directory

Directory service

Naming service

So any directory service is also a naming service, but not vice-versa. DNS is the most known naming service that contains bindings between machine names and IP addresses. Another example is the naming service provided by a Jakarta EE server¹ to allow access by name to various resources.

Lightweight Directory Access Protocol (LDAP)

Nothing prevents existence of other vendor-specific protocols serving the same purpose. The situation of having a standard protocol is very different from what we have in the rest of the DBMS world, where each DBMS has its own protocol and a driver library (a client) implementing it (e.g., PostgreSQL JDBC Driver for PostgreSQL, Datastax Java Driver for Cassandra, MongoDB Java Drivers for MongoDB).

LDAP authentication

Since organizations often keep user records in a directory service, it is a natural idea to use it for authentication. There are two ways one can implement authentication in an application via LDAP (excluding other nonstandard ways of authentication a specific directory service may provide):

1. by using the bind operation that was specifically designed for this purpose (see also this specification for additional info about the authentication mechanisms provided by the bind operation);
2. by using the compare operation and comparing the provided and stored password hashes (salted hashing is incompatible with this approach, which makes the whole approach questionable).

Spring Security calls the former approach bind authentication (see also org.springframework.security.ldap.authentication.BindAuthenticator), and the latter one is called password authentication (see also org.springframework.security.ldap.authentication.PasswordComparisonAuthenticator).

Java Naming and Directory Interface (JNDI)

Usually, authentication is not the only thing that an application wants, and other interactions with a directory service may be required.

Both OpenJDK JDK and Oracle JDK have LDAP Naming Service Provider for JNDI which implements javax.naming.ldap.LdapContext (see also com.sun.jndi.ldap.LdapCtxFactory and LDAP and JNDI tutorial published by Oracle). Spring LDAP provides a JNDI facade org.springframework.ldap.core.LdapTemplate to simplify interactions with an LDAP server.

Unlike JDBC with its java.sql.Connection, JNDI does not expose connections and manages them under the hood. In some cases, one may want to be aware of the connection management and have some control over it. This connection management tutorial explains how to do so for the LDAP Naming Service Provider for JNDI.

DNS, being a naming service, can also be accessed via JNDI, and both OpenJDK JDK and Oracle JDK have DNS Service Provider for JNDI which implements javax.naming.directory.DirContext (see also com.sun.jndi.dns.DnsContextFactory).