What is LDAP?
The P in LDAP stands for Protocol, the same as the P in HTTP and FTP. So right off the bat you see that LDAP is a protocol that is at the application level (same as FTP and HTTP) that rides on top of TCP/IP (a transport level protocol). Like HTTP and FTP, LDAP is based on a client sever model. You have an LDAP client that connects to an LDAP server and sends LDAP requests and receives LDAP responses. LDAP services typicallly run on port 389. Unlike HTTP which is a stateless protocol (no connection is kept alive between requests by a client), LDAP is more like FTP in that you have to connect with credentials (called binding), perform operations (typically to lookup data in the directory) and then disconnect (aka unbinding). An interesting thing is that LDAP is supported by browsers (just like FTP is also supported by browsers) and you can enter an address like
ldap://UrlAddress/ and the browser will switch to the LDAP protocol and pop up a small window to let you do directory searches. Try it in IE and see what happens!
What is X.500?
The next thing to understand is that that an LDAP directory is based on an open standard called X.500 that basically describes the LDAP database structure. It is a tree-like hierarchial data structure of nodes that contain information (similar to the way operating systems organize hard disk files into folders hierarchies that contain files instead of nodes). Like a relational database, an LDAP server has a schema that describes the fields of data each node in the database can contain. Because LDAPs are universally used, a standard 'user schema' has been adopted (RFC 2256) that is used by most everybody (the o=aaaa,ou=bbbb,cn=cccc gobletygoop). More on that later. The other thing about an LDAP directory is that it is optimized for fast read and lookup operations. It is not meant to be used for application where data updates occur frequently. That is still the domain of relational databases.
Tell me more about a Directory's Schema
Just like a relational database that has metadata describing the tables and columns in a database, a directory has a schema definition file that describes
- the attributes a directory entry might have, for example an attribute called 'sn' that is defined as a string where surname information is stored. An attribute can be multivalue, meaning it might store several values
- the object classes that describe directory entries and what attributes it has, for example an entry might be of type 'person' and it might contain an attribute called 'sn'. ObjectClasses define which attributes are mandatory and which are optional.
Unlike relational databases where you must define the columns within the context of a table, x.500 allows you to define attributes separate from the object classes that use the attributes. And as mentioned earlier, there is a standard user schema that is commonly used to describe the object classes and attributes found in directories. Lets take a look now at this standard user schema which I am sure you will recognize.
Attributes in the standard user schema used in X.500
Lets start with the attributes in the standard user schema. Attributes have names and an alias. The alias is a 'shortname' of sorts that can be used in place of the name.
Name Alias Description Example
commonName cn first, last name John Smith
telephoneNumber tel self explanatory 123-222-3333
organizationalUnit ou self explanatory Treasury
Objects in the standard user schema used in X.500
Now lets take a look at some of the objects classes in the standard user schema (remember, object classes list the attirbutes found in that object class - think of them as table definitions)
Name Description Required Attributes
InetOrgPerson person cn
sn
objectclass
organizationalUnit a department ou
objectclass
organization a company o
objectclass
Here are some notes about object classes
- an object class can inherit from another object class. By doing so it inherits all the attributes of the parent object class and can add its own
- all object classes must inherit from the top object class. 'top' is a special object class that defines the objectclass attribute that all object classes must have. Think of 'top' and the 'Object' class that all .NET classes inherit from.
Note that all objects classes require an
objectclass attribute that is inherited from top. This special attribute specifies the objectclasses (or types) of an entry in the LDAP. Each LDAP entry can have more than one ObjectClass!
Defining an entry in LDAP
You can think of an entry as an instance of data representing one (or more) objectclasses. The objectclasses an entry uses is defined by its objectclass attribute (which basically lists the objectclasses used by the entry)
Each entry has an RN and a DN
Navigating LDAP
DN
Comments