The LDAP directory service model is based on
entries. An entry
is a collection of attributes that describing it. Each attribute has a name,
type and one or more values. For example, attributes describing a person
might include person's name (common name, or cn), telephone number, and email
The entry for
Peter Chan might have the following attributes:
cn: Peter Chan mail: firstname.lastname@example.org telephoneNumber: 2358-1234 telephoneNumber: 2358-4321 roomNumber: 2228
LDAP is a protocol defining a directory service and access to that service. LDAP is based on a client-server model. LDAP servers provide the directory service, and LDAP clients use the directory service to access entries and attributes.
In LDAP, directory entries are arranged in a hierarchical tree-like structure, starting at a root and then branching down into individual entries. At the top level of the hierarchy, entries represent larger organizations. Under these larger organization in the hierarchy might be entries for smaller organizations. The hierarchy might end with entries for individual people or resources.
The following diagram shows a example of a hierarchy of entries in an LDAP directory service.
Each entry is uniquely identified by a distinguished name. A distinguished
name consists of a name that uniquely identifies the entry at that hierarchical
level (for example,
john are different
user IDs that identify different entries at the same level) and a path of
names that trace the entry back to the root of the tree.
For example, this might be the distinguished name for the
uid=peter, ou=People, o=ust.hkHere,
uidrepresents the user ID of the entry,
ourepresents the organizational unit in which the entry belongs, and
orepresents the larger organization in which the entry belongs.
The following diagram shows how distinguished names are used to identify entries uniquely in the directory hierarchy and also the attributes contained in one entry:
To perform any of these LDAP operations, an LDAP client needs to establish a connection with an LDAP server. The LDAP protocol specifies the use of TCP/IP port number 389, although servers may run on other ports.
The LDAP protocol also defines a simple method for authentication. LDAP servers can be set up to restrict permissions to the directory. Before an LDAP client can perform an operation on an LDAP server, the client must authenticate itself to the server by supplying a distinguished name and password. If the user identified by the distinguished name does not have permission to perform the operation, the server does not execute the operation.