lightweight protocol for accessing directory services, specifically X.500-based directory
services. LDAP runs over TCP/IP or other connection oriented transfer services. The nitty-gritty
details of LDAP are defined in RFC2251 "The Lightweight Directory Access Protocol (v3)" and
other documents comprising the techafnogal specification RFC3377.
services. LDAP runs over TCP/IP or other connection oriented transfer services. The nitty-gritty
details of LDAP are defined in RFC2251 "The Lightweight Directory Access Protocol (v3)" and
other documents comprising the techafnogal specification RFC3377.
What kind of information can be stored in the directory? The LDAP information model is based
on entries.An entry is a collection of attributes that has a globally-unique Distinguished Name
(DN). The DN is used to refer to the entry unambiguously.
DN:relativeDomainName=domain1,dc=afnog,dc=org
objectClass:dNSZone
objectClass:zonePerson
relativeDomainName:domain1
zoneName:org
dNSClass:IN
proprietaire:CLIENT1
dateacquis:20040604041800Z
validite:20060605164000Z
techafnogal-contact: ALAIN AINA
techafnogal-contact:AIT, bangkok
techafnogal-contact:Tel:+78123455678-Email:aalain@trstech.net
admin-contact: John CRAIN
admin-contact:ICANN
admin-contact:Tel:+2282255555 - Email: john@icann.org
dNSTTL:7200
nSRecord: adjo.cafe.org.
nSRecord: ns.psg.com.
objectClass:dNSZone
objectClass:zonePerson
relativeDomainName:domain1
zoneName:org
dNSClass:IN
proprietaire:CLIENT1
dateacquis:20040604041800Z
validite:20060605164000Z
techafnogal-contact: ALAIN AINA
techafnogal-contact:AIT, bangkok
techafnogal-contact:Tel:+78123455678-Email:aalain@trstech.net
admin-contact: John CRAIN
admin-contact:ICANN
admin-contact:Tel:+2282255555 - Email: john@icann.org
dNSTTL:7200
nSRecord: adjo.cafe.org.
nSRecord: ns.psg.com.
How is the information arranged? In LDAP, directory entries are arranged in a hierarchical
tree-like structure. Traditionally, this structure reflected the geographic and/or organizational
boundaries. The tree may also be arranged based upon Internet domain names. This naming
approach is becoming increasing popular as it allows for directory services to be located using
the DNS.
tree-like structure. Traditionally, this structure reflected the geographic and/or organizational
boundaries. The tree may also be arranged based upon Internet domain names. This naming
approach is becoming increasing popular as it allows for directory services to be located using
the DNS.
In addition, LDAP allows you to control which attributes are required and allowed in an entry
through the use of a special attribute called objectClass. The values of the objectClass
attribute determine the schema rules the entry must obey.
objectclass ( 1.1.2.2.2 NAME 'myPerson'
DESC 'my person'
SUP inetOrgPerson
MUST ( myUniqueName $ givenName )
MAY myPhoto )
attributetype ( 1.1.2.1.2 NAME 'myPhoto'
DESC 'a photo (application defined format)'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
How is the information referenced? An entry is referenced by its distinguished name, which is
constructed by taking the name of the entry itself (called the Relative Distinguished Name or
RDN) and concatenating the names of its ancestor entries. The full DN format is described in
RFC2253, "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of
Distinguished Names."
DN:relativeDomainName=domain1,dc=afnog,dc=org
How is the information accessed? LDAP defines operations for interrogating and updating the
directory. Operations are provided for adding and deleting an entry from the directory, changing
an existing entry, and changing the name of an entry. Most of the time, though, LDAP is used to
search for information in the directory. The LDAP search operation allows some portion of the
directory to be searched for entries that match some criteria specified by a search filter.
Information can be requested from each entry that matches the criteria.
How is the information protected from unauthorized access? Some directory services provide
no protection, allowing anyone to see the information. LDAP provides a mechanism for a client
to authenticate, or prove its identity to a directory server, paving the way for rich access control
to protect the information the server contains. LDAP also supports privacy and integrity security service.