LDAP

History

Protocol

Directory Structure

Operations

LDAP was originally intended to be a lightweight alternative protocol for accessing X.500 directory services

This model of directory access was borrowed from the DIXIE and Directory Assistance Service protocols

X.500 directory services were traditionally accessed via the X.500 Directory Access Protocol

Originally created by Tim Howes of the University of Michigan

LDAPv3

It was renamed with the expansion of the scope of the protocol beyond directory browsing and searching

It was known as Lightweight Directory Browsing Protocol

first published in 1997

added support for extensibility

integrated the Simple Authentication and Security Layer

better aligned the protocol to the 1993 edition of X.500

Modify

Modify DN

Search and Compare

Delete

Bind (authenticate)

Abandon

Add

Unbind

inserts a new entry into the directory-server database

If the distinguished name in the add request already exists in the directory, then the server will not add a duplicate entry

The BIND operation establishes the authentication state for a session

BIND also sets the LDAP protocol version by sending a version number in the form of an integer

To delete an entry, an LDAP client transmits a properly formed delete request to the server

A delete request must contain the distinguished name of the entry to be deleted

used to both search for and read entries

Paraemeters

to request that the LDAP server make changes to existing entries

Attempts to modify entries that do not exist will fail

An update operation is atomic

The server may support renaming of entire directory subtrees

requests that the server abort an operation named by a message ID

A similar Cancel extended operation does send responses

abandons any outstanding operations and closes the connection

Clients can abort a session by simply closing the connection

Request controls may also be attached to the delete request

baseObject

scope

filter

derefAliases

attributes

sizeLimit, timeLimit

typesOnly

A client starts an LDAP session by connecting to an LDAP server

The client then sends an operation request to the server, and the server sends responses in return

The client may request any of the operations

client does not need to wait for a response before sending the next request

the server may send the responses in any order

An entry consists of a set of attributes

An attribute has a name and one or more values

The attributes are defined in a schema

Each entry has a unique identifier

This consists of its Relative Distinguished Name

constructed from some attribute(s) in the entry

A DN may change over the lifetime of the entry

when entries are moved within a tree