LDAP

David Lee's picture

Consider two different issues: First, a huge organization with thousands of members, many departments and IT resources. How to maintain an updatable and accessible online address book for it? Second, a MIS staff need to maintain different sets of username and password for a number of different systems, such as linux login, apache, samba, mail service, etc.) How to make his work easily? These two issues seem irrelevant, but can be served by the same solution: LDAP (Lightweight Directory Access Protocol).

LDAP is a protocol for accessing online directory service, based on X.500. It omitted many complicated details of X.500 protocol to be a flexible and lightweight network application protocol build on IP networks. For the first issue above, with the flexible design LDAP allows us to catalog different type of resources to be a distributed online database. And, for the second issue, it also provides a standardized interface for referring to difference applications, thus integration with different configuration of those applications can be easily.

With the macro perspective, LDAP constructs multiple data to be a tree structure, called DIT (Directory Information Tree). A DIT can be cut into many sub-trees, each of them can be stored in a different LDAP server to achieve the distributed architecture. Each record in DIT can be replaced by a unique distinguished name (DN). As the “absolute path” in general file systems, DN is used to identifier the address in DIT.

And with the micro perspective, each record in the LDAP are consistent with a schema, which can be converted to LDIF (LDAP Data Interchange Format) for human-readable (notice that the real data storing may be binary.) In LDIF, each record will have multiple “attributes”, and each attribute is composed by multiple values. Which attributes a record can have is defined by its “objectClass”. For example, a record with objectClass “employee” may have attributes such as name, department, and email address, while another record with objectClass “department” may have attributes such as administrator and member. Every record have at least two attributes: DN and objectClass, while other required and optional attributes are determined according to the value of objectClass.

To retrieval information on the LDAP server, we can make queries packeaged into LDAP URL format:

ldap://" [ <host> ]"/" <dn> [ "?" <attributes>[ "?" <scope> "?" <filter> ] ]
<host> ::= <hostname>[ ":" <port> ]
<attributes> ::= NULL | <attributelist>
<attributelist> ::= <attributetype>| <attributetype>[ "," <attributelist> ]
<scope> ::= "base" | "one" | "sub"
● host: IP address of the server
● dn: DN of the search starting point
● attributes: which attributes of matching entry will be returned
● scope: search scope (single node, the first generation of child nodes, or entire sub-tree)
● filter: search criteria


For example: ldap://cellopoint.com/ou=rd,ou=unit,ou=company,dc=cellopoint,dc=com?mail?sub?uid=david will return email address of every employee that ID is David and is at RD department of Cellopoint.

Currently, the most popularly LDAP software are openldap and Microsoft Active Directory. While the former is a open source software, people can try it to experience the convenience of LDAP.