LDAP – Lightweight Directory Access Protocol
LDAP – Lightweight Directory Access Protocol
Lightweight Directory Access Protocol (LDAP) is an Internet protocol that email and other programs use to look up information from a server. LDAP shows a set of objects with attributes organized in a logical and hierarchical manner. In early stage LDAP is known as Lightweight Directory Browsing Protocol. It was renamed with the expansion of the range and scope of the protocol to include beyond directory browsing and searching functions also directory update functions.
For example: Telephone Directory consist of list of names arranged in an alphabetically manner with each name having an phone number and address associated with it.
Originally the protocol was created by Tim Howes of the University of Michigan, Wengyik Yeong of Performance Systems International, circa 1993 and Steve Kille of Isode Limited. LDAP current version is LDAPv3 specified in a series of Internet Engineering Task Force. Further development has come through the IETF.
Protocol Overview
A client starts an LDAP session by connecting to an LDAP server default on TCP port 389 called a Directory System Agent. The client then sends an operation request to the server, and the server sends response in return.
The client may request the following operations:
-
Start Transport Layer Security (TLS) use the LDAPv3 for a secure connection
-
Bind – authenticate and specify LDAP protocol version
-
Search and retrieve directory entries
-
Compare -test the entry contain a given attribute value in the named entry
-
Add a new entry
-
Delete an entry
-
Modify an entry
-
Modify Distinguished Name – move or rename an entry
-
Abandon – abort a previous request
-
Extended operation – generic operation used to define other operations
-
Unbind – close the connection.
Directory structure
-
A directory is a tree of directory entries
-
An entry consists of a set of attributes
-
An attributes or schema has a name and one or more values.
-
Each entry has a unique identifier.
Representation in LDAP Data Interchange Format, an entry can look like this:
dn: cn=John Doe,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 888 555 6789
telephoneNumber: +1 888 555 1232
mail: john@example.com
manager: cn=Barbara Doe,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
LDAP URLs format:
ldap://host:port/DN?attributes?scope?filter?extensions
For example, “ldap://ldap.example.com/cn=John%20Doe,dc=example,dc=com” refers to all user attributes in John Doe’s entry in ldap.example.com, while “ldap:///dc=example,dc=com??sub?(givenName=John)” searches for the entry in the default server.
