Introduction to LDAP
LDAP (Lightweight Directory Access Protocol) is a standard protocol allowing directories to be managed, i.e. access information bases on the users of a network using TCP/IP protocols.
The information bases are generally related to the users, but are sometimes used for other purposes such as managing a company's hardware.
The aim of the LDAP protocol, developed in 1993 by the University of Michigan, was to replace the DAP protocol (used to access X.500 directory services by OSI) by integrating according to TCP/IP. From 1995, DAP became a standalone LDAP so that it was no longer used only to access X500 type directories. LDAP is thus a lighter version of the DAP protocol, hence its name of Lightweight Directory Access Protocol.
Presentation of LDAP
The LDAP protocol defines the method of accessing data on the server at client level, and not the manner in which the information is stored.
LDAP protocol is currently at version 3 and has been standardized by the IETF (Internet Engineering Task Force). So, there is a RFC for each version of LDAP, making up a reference document:
So LDAP supplies the user with methods enabling him to:
- search for information
- compare information
- insert entries
- change entries
- delete entries
Furthermore, LDAP protocol (in version 3) offers encryption (SSL, ...) and authentication mechanisms allowing secure access to information stored in the base.
Information tree structure (DIT)
LDAP presents information in the form of a hierarchical tree structure called a DIT (Directory Information Tree), in which the information, called entries (or even DSE, Directory Service Entry), is represented in branches.
A branch located at the root of a branch is called the root entry.
Each entry in the LDAP directory relates to an abstract or real object (for example a person, a piece of hardware, parameters, etc.).
Each entry is made up of a collection of key/value pairs called attributes.
Each entry is made up of a collection of attributes (key/value pairs) enabling the object that the entry defines to be distinguished. There are two types of attributes:
- Normal attributes: these are the usual attributes (surname, name, ...) distinguishing the object.
- Operational attributes: these are the attributes which only the server can access in order to manipulate the directory data (modification dates, etc,)
An entry is indexed by a distinguished name (DN) enabling an item in the tree structure to be uniquely identified.
A DN consists of taking the name of the element, called the Relative Distinguished Name (RDN, i.e. the path of the entry in relation to its parents), and adding the entire name of the parent entry to it.
It is a question of using a series of key/value pairs making it possible to uniquely locate an entry. Here is a series of keys which are generally used:
- uid (userid), this is a compulsory unique ID
- cn (common name), this is the person's name
- givenname, this is the person's first name
- sn (surname), this is the person's surname
- o (organization), his is the person's company
- u (organizational unit), this is the department of the company in which the person works
- mail, this is the email address of the person (of course)
So a Distinguished Name will take the form:
Le Relative Distinguished Name étant ici "uid=jeapil".
Thus, the collection of object and attribute definitions that a LDAP server can manage is called a schema. This makes it possible, for example to define if an attribute can posses one or several values. Furthermore, an attribute called objectclass makes it possible to define whether attributes are compulsory or optional...
LDAP provides a collection of functions (procedures) to carry out queries on the data in order to search for, change and delete entries in the directories.
Here is the list of the main operations that LDAP can perform:
|Abandon||Abandon the previous operation sent to the server|
|Add||Add an entry to the directory|
|Bind||Start a new session on the LDAP server|
|Compare||Compare the entries in a directory according to the criteria|
|Delete||Delete an entry from a directory|
|Extended||Carry out extended operations|
|Rename||Change the name of an entry|
|Search||Search for entries in a directory|
|Unbind||End a new session on the LDAP server|
LDAP data interchange format
LDAP provides a data interchange format (LDIF, Lightweight Data Interchange Format) allowing data to be imported and exported from a directory using a simple text file. The majority of LDAP servers support this format, which allows great interoperability between them.
The syntax for this format is as follows:
[<id>] dn: <distinguished name> <attribute>: <value> <attribute>: <value> ...
In this file, id is optional, it is a positive whole number allowing the entry in the database to be identified.