LDAP

Version History

LDAP is a standard for directory services with additional features that enhance its capabilities being added. LDAP may allow for consolodation of directory lists to be consolidated. An LDAP server provides the directory services and other LDAP functions. To avoid confusion about LDAP, it should be known that LDAP is an evolving service with additional capabilities being added over time. The original version was developed at the University of Michigan. The IETF has added updates since then which are in part fueled by various organizations. The main versions of LDAP are version 2 and version 3. Version 3 added additional capabilities such as directory replication and support for access control lists. With support for access control lists, LDAP may be able be used to control user access thrughout an organization such as is currently done using the Windows NT domain, single user logon for access to all computers in the organization or domain.

LDAP RFCs

There are several RFCs associated with LDAP and the various versions. They are listed below. Use the links in the Networking section to access web sites with RFCs.

  • RFC1777 - Lightweight Directory Access Protocol. (Obsoletes RFC1487)
  • RFC1778 - The String Representation of Standard Attribute Syntaxes
  • RFC1779 - A String Representation of Distinguished Names.(Obsoletes RFC1485)
  • RFC1823 - The LDAP Application Program Interface
  • RFC1960 - A String Representation of LDAP Search Filters (Obsoletes RFC1558)
  • RFC 2251 - Lightweight Directory Access Protocol (v3)
  • RFC 2252 - LDAPv3 Attribute Syntax Definitions
  • RFC 2253 - UTF-8 String Representation of Distinguished Names
  • RFC 2254 - The String Representation of LDAP Search Filters
  • RFC 2255 - The LDAP URL Format
  • RFC 2256 - A Summary of the X.500(96) User Schema for use with LDAPv3
  • RFC2829 - Authentication Methods for LDAP.
  • RFC2830 - Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security.

Associated RFCs

  • RFC1274 - The COSINE and Internet X.500 Schema
  • RFC1279 - X.500 and Domains
  • RFC1308 - Executive Introduction to Directory Services Using the X.500 Protocol
  • RFC1309 - Technical Overview of Directory Services Using the X.500 Protocol
  • RFC1617 - Naming and Structuring Guidelines for X.500 Directory Pilots (Obsoletes RFC1384)
  • RFC1684 - Introduction to White Pages services based on X.500
  • RFC2079 - Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs)

LDAP Organization

LDAP servers contain entries which are defined uniquely with a distinguished name (DN). Required and optional attributes for the netries are defined by object classes which are defined in X.500. LDAP is hierarchial with a distinguished name with additional names that can be traced up the hierarchy to the root of the hierarchial tree.

LDAP and X.500

Since LDAP is based on X.500, it uses the X.500 object classes. These classes have a base class which is called "top".

X.500 Object Classes

The following object classes are defined by RFC1274. Each object have certain attributes which they must contain or may contain. Some, but not all of these attributes are listed here.

LDAP Distinguished Names

This section shows the LDAP information model. RFC 1779 states "Many OSI Applications make use of Distinguished Names (DN) as defined in the OSI Directory, commonly known as X.500." If you look at the listed distinguished names and their meanings below, you may notice that the names match the required attributes of some of the X.500 objects such as "countryName" for "country". LDAP grammer for distinguished names are listed below according to RFC 1779:

The names are separated by commas or semicolons (as an alternate separator) and are listed as name/value pairs. An example is:

CN=Mark Allen, O=Computer Technology Documentation Project, ST=Michigan, C=US

LDAP Applications

With version 3 of LDAP, application functions have the below general categories:

LDAP Provisions

LDAP is not a database, filesystem, or replacement for DNS. LDAP requires a connection oreinted form of network communication.

The LDAP Tree

Directory and Naming Services Guide Contents Page