[Previous] [Next] [TOC] [Index]

Chapter 1
Understanding LDAP

DAP (Lightweight Directory Access Protocol) is the Internet directory protocol. Developed at the University of Michigan at Ann Arbor in conjunction with the Internet Engineering Task Force, LDAP is a protocol for accessing and managing directory services.

This chapter explains the LDAP protocol and the concepts behind LDAP. The chapter is organized in the following sections:

If you are already familiar with LDAP, you can skip ahead to Chapter 2, "Using the Directory SDK."

How Directory Services Work

A directory consists of entries containing descriptive information. For example, a directory might contain entries describing people or network resources, such as printers or fax machines.

The descriptive information is stored in the attributes of the entry. Each attribute describes a specific type of information. For example, attributes describing a person might include the person's name (common name, or cn), telephone number, and email address.

The entry for Barbara Jensen might have the following attributes:

cn: Barbara Jensen
mail: babs@ace.com
telephoneNumber: 555-1212
roomNumber: 3995

An attribute can have more than one value. For example, a person might have two common names (a formal name and a nickname) or two telephone numbers:

cn: Jennifer Jensen
cn: Jenny Jensen
mail: jen@ace.com
telephoneNumber: 555-1213
telephoneNumber: 555-2059
roomNumber: 3996

Attributes can also contain binary data. For example, attributes of a person might include the JPEG photo of the person or the voice of the person recorded in an audio file format.

A directory service is a distributed database application designed to manage the entries and attributes in a directory. A directory service also makes the entries and attributes available to users and other applications. The Netscape Directory Server is an example of a directory service.

For example, a user might use the directory service to look up someone's telephone number. Another application might use the directory service to retrieve a list of email addresses.

LDAP is a protocol defining a directory service and access to that service. LDAP is based on a client-server model. LDAP servers provide the directory service, and LDAP clients use the directory service to access entries and attributes.

An example of an LDAP server is the Netscape Directory Server, which manages and provides information about users and organizational structures of users, such as groups and departments. Examples of LDAP clients might include the HTTP gateway to the Netscape Directory Server, Netscape Navigator, and Netscape Communicator. The gateway uses the directory service to find, update, and add information about users.

How LDAP Servers Organize Directories

Because LDAP is intended to be a global directory service, data is organized hierarchically, starting at a root and branching down into individual entries. Entries are typically arranged geographically and by organization.

At the top level of the hierarchy, entries represent countries or international organizations. Examples of entries are US or Canada (countries) or Ace Industry (an organization). Under each country entry in the hierarchy might be entries for states or provinces or national organizations. The hierarchy might end with entries for people or resources.

Figure 1.1 illustrates a hierarchy of entries in an LDAP directory service.

A hierarchy of entries in the directory

Each entry is uniquely identified by a distinguished name. A distinguished name consists of the name of an entry (for example, Barbara Jensen) and a path of names tracing the entry back to the root of the tree.

For example, this might be the distinguished name for the Barbara Jensen entry:

cn=Barbara Jensen, ou=Product Development, o=Ace Industry, c=US

Here, cn represents the common name of the entry, ou represents the organizational unit (such as a department or a division) in which the entry belongs, o represents the organization in which the entry belongs, and c represents the country in which the entry belongs. For more information on the syntax of distinguished names, see "Distinguished Names".

The following diagram shows how distinguished names are used to identify entries uniquely in the directory hierarchy.

An example of a distinguished name in the directory

At any level of the directory hierarchy, a component of a distinguished name is itself a distinguished name. For example, at the country level in the directory hierarchy, the component c=US is a distinguished name that uniquely identifies the entry for the United States at that level.

The data stored in a directory can be distributed among several LDAP servers. For example, an LDAP server at Ace Industry might contain entries representing the Ace Industry organizational units and employees, whereas an LDAP server at the University of Michigan might contain entries containing the organizational units, faculty, and students at that campus.

Some LDAP servers are set up to refer requests to other LDAP servers. For example, if the LDAP server at Ace Industry receives a request for information about the University of Michigan, that server can refer the request to the LDAP server at the University of Michigan. In this way, LDAP servers can appear to be a single source of directory information. Even if an LDAP server does not contain the information you request, the server can refer you to another server that does contain the information.

How LDAP Clients and Servers Work

In the LDAP client-server model, LDAP servers (such as the Netscape Directory Server) make information about people, organizations, and resources accessible to LDAP clients. The LDAP protocol defines operations that clients use to search and update the directory. An LDAP client can perform these operations, among others:

searching for and retrieving entries from the directory
adding new entries to the directory
updating entries in the directory
deleting entries from the directory
renaming entries in the directory

For example, to update an entry in the directory, an LDAP client submits the distinguished name of the entry with updated attribute information to the LDAP server. The LDAP server uses the distinguished name to find the entry and performs a modify operation to update the entry in the directory.

To perform any of these LDAP operations, an LDAP client needs to establish a connection with an LDAP server. The LDAP protocol specifies the use of TCP/IP port number 389, although servers may run on other ports.

The LDAP protocol also defines a simple method for authentication. LDAP servers can be set up to restrict permissions to the directory. Before an LDAP client can perform an operation on an LDAP server, the client must authenticate itself to the server by supplying a distinguished name and password. If the user identified by the distinguished name does not have permission to perform the operation, the server does not execute the operation.

[Previous] [Next] [TOC] [Index]

Last modified: March 31, 1997
Copyright © 1997 Netscape Communications Corporation