Free Stuff

About IC

LDAP Glossary See also ldap here

What Is LDAP?

LDAP stands for Lightweight Directory Access Protocol and is a directory service protocol that runs over TCP/IP. This section gives an overview of LDAP from a user's perspective.

What Kind of Information Can Be Stored in the Directory?

The LDAP directory service model is based on entries. An entry is a collection of attributes that has a name, called a distinguished name (DN). The DN is used to refer to the entry unambiguously. Each of the entry's attributes has a type and one or more values. The types are typically mnemonic strings, like "cn" for common name, or "mail" for email address. The values depend on what type of attribute it is. For example, a "mail" attribute might contain the value "babs@umich.edu". A jpegPhoto attribute would normally contain a photograph in binary JPEG/JFIF format.

How Is the Information Arranged?

In LDAP, directory entries are arranged in a hierarchical tree-like structure that reflects political, geographic and/or organizational boundaries. Entries representing countries appear on top of the tree. Below them are entries representing states or national organizations. Further down there might be entries representing people, organizational units, printers, documents, or just about anything else you can think of. Figure 1 shows an example of an LDAP directory tree to help you make things clear.

In addition, LDAP allows you to control which attributes are required and allowed in an entry through the use of a special attribute called objectclass. The values of the objectclass attribute determine the schema rules the entry must obey.

How Is the Information Referred to?

An entry is referred to by its distinguished name, which is composed of the entry's name itself (called the relative distinguished name, or RDN) and concatenated names of its ancestor entries. For example, the entry for Barbara Jensen in the chart above has an RDN of "cn=Barbara J Jensen" and a DN of "cn=Barbara J Jensen, o=U of M, c=US". The complete DN format is described in RFC 1779, called "A String Representation of Distinguished Names."

How Is the Information Accessed?

LDAP defines operations for interrogating and updating the directory. Operations are provided for adding and deleting an entry from a directory, changing an existing entry, and changing the name of an entry. Most of the time, though, LDAP is used to search for information in the directory. The LDAP search operation allows some portion of the directory to be searched for entries that match some criteria specified by a search filter. Information can be requested from each entry that matches the criteria. For example, you might want to search the entire directory subtree below the University of Michigan for people with the name 'Barbara Jensen', retrieving the email address of each entry found. LDAP lets you do this quite easily. Or you might want to search the entries directly below the c=US entry for organizations with the string "Acme" in their name that have a fax number. This kind of task will also take no effort from LDAP. The next section describes in more detail some other useful things you can do with LDAP.

How Is the Information Protected from Unauthorized Access?

Some directory services provide no protection, allowing anyone to view information. LDAP provides a method for clients to authenticate or prove their identity to a directory server, thus enabling substantial access control to protect the information the server contains.

Currently LDAP is considered to be the most popular protocol for providing directory services on the Internet.

Glossary

This glossary describes some professional terms widely used in this documentation as well as in other LDAP technology related texts.

Base DN

A DN used as a starting point of search. For example: ou=People, dc=OpenLDAP, dc=Org.

Control

LDAP controls are ways to extend LDAPv3 client and server functionality. To get a more detailed description of LDAP controls, please see RFC2251. A control consists of the three fields:

• Control OID;
• Criticality flag;
• Control data.

Client and server can send controls as a part of request.

DIT

This is a hierarchical organization of entries that make up a directory. DIT stands for 'Directory Information Tree'.

DN

DN stands for 'distinguished name'. A distinguished name consists of a name that uniquely identifies the entry at that hierarchical level and a path of names that trace the entry back to the root of the tree. For example: uid=JohnDoe, ou=People, dc=company, dc=com.

DSA

An X.500 term for a directory server. DSA stands for 'Directory System Agent'.

DSE

An entry containing server-specific information. DSE stands for 'DSA-specific entry'. Each server has different attribute values for the DSE.

Filter

While searching, the directory filter is used to define a rule of search. Usually the filter is (objectClass=*).

objectClass

'objectClass' is a special entry attribute, which defines what object classes this entry consists of. Each of this attribute's values is an object class described in the server schema.

Operational Attributes

A special kind of attributes provided by an LDAP server. For example, each entry contains information as to who and when created and modified this entry. Operational attributes are returned by the server only in case they have been explicitly requested.

Referral

During search an LDAP server can return not only the entry information but also refer to another server containing the requested information.

RDN

RDN stands for 'relative distinguished name'.

Root DSE

An entry (a DSE) that is located at the root of DIT.

LDAP Server Schema

Definitions of object classes, attributes and matching rules supported by an LDAP server. All those definitions are placed into a special entry. You may obtain a DN of this entry by reading the subschemaSubentry attribute value of the Root DSE entry.

X.509

X.509 is one of the most popular digital certificate standards.