Blog

What is LDAP?

What is LDAP?

 

LDAP stands for Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service.  The primary purpose of a directory service is to provide a systematic set of records, usually organized in a hierarchical structure. It’s analogous to a telephone directory that contains a list of subscribers with their contact number and address.

The Origins of LDAP

Directories were first introduced in the field of networking and information technology in the form of a collection of protocols called X.500, produced in the 1980s by International Telecommunication Union.  It took some time for telecommunication companies to come to appreciate the benefits of directories and make use of them.  Initially, LDAP was designed as a lightweight protocol to be used exclusively for gaining entry into X.500 directory services.  The reason behind LDAPs rise to popularity is that it effectively replaced the Open Systems Interconnection network. Modern day technology allows X.500 directory protocols such as DAP to be directly used over a TCP or Internet Protocol.

In the early stages of the development of the technology, it was called the “Lightweight Directory Browsing Protocol”.  Later on, when the scope of telecommunications expanded and directory update functions were included to accommodate this, it was renamed to the Lightweight Directory Access Protocol.  LDAP has also influenced the other internet protocols such as the XML Enabled Directory, Directory Service Markup Language and the Service Location Protocol, among others.

 

Overview of LDAP

In order to commence an LDAP session, a client needs to connect to the server known as the Directory System Agent, which is set by default to use TCP port 389. After the connection is established, the client and server exchange packets of data.  In most cases, the client doesn’t need to wait for an acknowledgement before sending another request,  and in turn the server sends information in any order.  Basic encoding rules are used to transfer information between the server and client.  In some cases, unknown responses called “unsolicited requests” may also be sent from the server.

 

Structure of LDAP

Although the structure of LDAP seems relatively complex, it is fairly simple to understand.  The protocol integrates thoroughly with directories, following the earlier editions of the X.500 variant. The basic structure is as follows:

  • A set of attributes is contained in any entry.
  • Each attribute accommodates one or more values, and has a name.
  • Each entry in the directory is assigned a unique identifier that consists of a Relative Distinguished Name, which is composed from some of the attributes.  If we use a file path analogy, the Distinguished Name can be likened to a complete file path, and the relative Distinguished Name is akin to the filename in the respective parent folder.

The server has is capable of holding a sub-tree and it’s children, beginning from a particular entry.  In addition, they may also hold brief references to other remote servers.  A client has the option of contacting other servers too.  In some cases, where chaining among servers is supported, servers communicate with other servers and return the requisite output to the client.

 

Operations on LDAP

There are a plethora of operations that can be performed on the Lightweight Directory Access Protocol.  Here are some of the most prominent ones:

  • Add – This is used to insert a new entry into the directory-to-server database.  If the name entered by a user already exists, the server fails to add a duplicate entry and instead shows an “entryAlreadyExists” message.

 

  • Bind – On connection with the LDAP server, the default authentication state of the session is anonymous. The purpose of this operation is to define an authentication state for any given session.  There are basically two types of LDAP authentication methods – the simple authentication method and the SASL authentication method.

 

  • Delete – As the name suggests, this operation is used to delete an entry from the directory. In order to do this, the LDAP client has to transmit a perfectly composed delete request to the server.

 

  • Compare and search – Various parameters such as baseObject, filter, scope, attributes, typesOnly, derefAliasis, timeLimit and sizeLimit are used to perform both search and read operations, in addition to performing comparison functions.

 

  • Modify – This operation is used by LDAP clients to make a request for making changes to the already existing database.  The change to be made must be one of the following operations:
    1. Add (including a new value).
    2. Delete (deleting an already existing value).
    3. Replace (Overwriting an existing value with a new one).

 

  • Unbind – This is the inverse of the bind operation.  Unbind aborts any existing operations and terminates the connection, leaving no response in the end.

Real-time applications of LDAP

Email clients such as Microsoft Outlook employ some form of the LDAP database, although LDAP isn’t used in its original form.  Infospace and ICANN are the most popular search-related services built on the LDAP platform.  Popular applications like Active Directory and the Google Apps Directory Sync make use of LADP and assist in the provisioning of groups, users and other contacts based on the user data in the LDAP server.

You can learn

Watch the Video

Posted in: Technical Topics

Leave a Comment (0) ↓