Understanding LDAP (Lightweight Directory Access Protocol)

What is LDAP?

LDAP is an Internet standard protocol used by applications to access information in a directory. It runs directly over TCP, and can be used to access a standalone LDAP directory service or to access a directory service that is back-ended by X.500. It was created as a way to minimize the implementation requirements on directory clients, and to simplify and encourage the use of directories among applications.

The LDAP directory service model is based on entries. An entry is a collection of attributes that describing it. Each attribute has a name, type and one or more values. For example, attributes describing a person might include person's name (common name, or cn), telephone number, and email address.

The entry for Peter Chan might have the following attributes: 

    cn: Peter Chan
mail: peter@ust.hk
telephoneNumber: 2358-1234
telephoneNumber: 2358-4321
roomNumber: 2228

LDAP is a protocol defining a directory service and access to that service. LDAP is based on a client-server model. LDAP servers provide the directory service, and LDAP clients use the directory service to access entries and attributes.

How LDAP organize directories

In LDAP, directory entries are arranged in a hierarchical tree-like structure, starting at a root and then branching down into individual entries. At the top level of the hierarchy, entries represent larger organizations. Under these larger organization in the hierarchy might be entries for smaller organizations. The hierarchy might end with entries for individual people or resources.

The following diagram shows a example of a hierarchy of entries in an LDAP directory service.

Each entry is uniquely identified by a distinguished name. A distinguished name consists of a name that uniquely identifies the entry at that hierarchical level (for example, peter and john are different user IDs that identify different entries at the same level) and a path of names that trace the entry back to the root of the tree.

For example, this might be the distinguished name for the peter entry: 

uid=peter, ou=People, o=ust.hk
Here, uid represents the user ID of the entry, ou represents the organizational unit in which the entry belongs, and o represents the larger organization in which the entry belongs.

The following diagram shows how distinguished names are used to identify entries uniquely in the directory hierarchy and also the attributes contained in one entry:

How it work?

LDAP is based on a client-server model. LDAP servers make information about people, organizations, and resources accessible to LDAP clients. The LDAP protocol defines operations that clients use to search and update the directory. An LDAP client can perform these operations, among others: For example, to update an entry in the directory, an LDAP client submits the distinguished name of the entry with updated attribute information to the LDAP server. The LDAP server uses the distinguished name to find the entry and performs a modify operation to update the entry in the directory.

To perform any of these LDAP operations, an LDAP client needs to establish a connection with an LDAP server. The LDAP protocol specifies the use of TCP/IP port number 389, although servers may run on other ports.

The LDAP protocol also defines a simple method for authentication. LDAP servers can be set up to restrict permissions to the directory. Before an LDAP client can perform an operation on an LDAP server, the client must authenticate itself to the server by supplying a distinguished name and password. If the user identified by the distinguished name does not have permission to perform the operation, the server does not execute the operation.

Resource

Back | Next to HKUST LDAP Service