Professional Documents
Culture Documents
History
LDAP has inuenced subsequent Internet protocols, including later versions of X.500, XML Enabled Directory
Telecommunication companies understanding of direc(XED), Directory Service Markup Language (DSML),
tory requirements were well developed after some 70
Service Provisioning Markup Language (SPML), and the
years of producing and managing telephone directories.
Service Location Protocol (SLP).
These companies introduced the concept of directory
services to information technology and computer networking, their input culminating in the comprehensive
X.500 specication,[5] a suite of protocols produced by 2 Protocol overview
the International Telecommunication Union (ITU) in the
1980s.
A client starts an LDAP session by connecting to an
X.500 directory services were traditionally accessed via LDAP server, called a Directory System Agent (DSA),
the X.500 Directory Access Protocol (DAP), which re- by default on TCP and UDP port 389, or on port 636 for
quired the Open Systems Interconnection (OSI) protocol LDAPS.[8] Global Catalog is available by default on ports
1
4 OPERATIONS
A DN may change over the lifetime of the entry, for instance, when entries are moved within a tree. To reliably and unambiguously identify entries, a UUID might
Bind authenticate and specify LDAP protocol be provided in the set of the entrys operational attributes.
version
An entry can look like this when represented in LDAP
Search search for and/or retrieve directory entries Data Interchange Format (LDIF) (LDAP itself is a binary
protocol):
Compare test if a named entry contains a given
dn: cn=John Doe,dc=example,dc=com cn: John
attribute value
Doe givenName: John sn: Doe telephoneNumber:
+1 888 555 6789 telephoneNumber: +1 888 555
Add a new entry
1232 mail: john@example.com manager: cn=Barbara
Delete an entry
Doe,dc=example,dc=com objectClass: inetOrgPerson
objectClass: organizationalPerson objectClass: person
Modify an entry
objectClass: top
Modify Distinguished Name (DN) move or re- dn is the distinguished name of the entry; it is neiname an entry
ther an attribute nor a part of the entry. cn=John Doe
StartTLS use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection
4 Operations
4.1 Add
4.3
Delete
request already exists in the directory, then the server will current<when?> LDAP version). In LDAPv3, each sucnot add a duplicate entry but will set the result code in the cessful BIND request changes the authentication state of
add result to decimal 68, entryAlreadyExists.[12]
the session and each unsuccessful BIND request resets the
authentication state of the session.
LDAP-compliant servers will never dereference the
distinguished name transmitted in the add request
when attempting to locate the entry, that is, distin- 4.3 Delete
guished names are never de-aliased.
To delete an entry, an LDAP client transmits a properly
LDAP-compliant servers will ensure that the distin- formed delete request to the server.[15]
guished name and all attributes conform to naming
standards
A delete request must contain the distinguished
name of the entry to be deleted
The entry to be added must not exist, and the immediate superior must exist.
Request controls may also be attached to the delete
The command used for searching the entries is:
request
ldapsearch -h localhost -x -LLL -W Servers do not dereference aliases when processing
D
cn=admin,dc=example,dc=com
-b
[13]
a delete request
dc=example,dc=com
dn:
uid=user,ou=people,dc=example,dc=com
changetype: add objectClass: top objectClass: person
uid: user sn: last-name cn: common-name userPassword:
password
In
the
above
example,
uid=user,ou=people,dc=example,dc=com must not
exist, and ou=people,dc=example,dc=com must exist.
4.2
Bind (authenticate)
4 OPERATIONS
a common misconception is that LDAP data is
case-insensitive, whereas in fact matching rules and
ordering rules determine matching, comparisons,
and relative value relationships. If the example lters were required to match the case of the attribute
value, an extensible match lter must be used, for
example,
(&(objectClass=person)(|(givenName:
caseExactMatch:=John)(mail:
caseExactSubstringsMatch:=john*)))
4.5
Modify
The MODIFY operation is used by LDAP clients to request that the LDAP server make changes to existing
entries.[17] Attempts to modify entries that do not exist
will fail. MODIFY requests are subject to access controls as implemented by the server.
Extended operations
add (add a new value, which must not already exist The Extended Operation is a generic LDAP operation
that can dene new operations that were not part of
in the attribute)
the original protocol specication. StartTLS is one of
delete (delete an existing value)
the most signicant extensions. Other examples include
replace (replace an existing value with a new value) Cancel and Password Modify.
LDIF example of adding a value to an attribute:
4.7.1 StartTLS
5
the client requests the server derive its identity from credentials provided at a lower level (such as TLS). Though
technically the server may use any identity information
established at any lower level, typically the server will use
the identity information established by TLS.
4.9
Unbind
The Unbind operation abandons any outstanding opera- 1. Create a new schema le (say, abc.schema) for the new
tions and closes the connection. It has no response. The object class with the additional attributes required[24]
name is of historical origin, and is not the opposite of the
attributetype ( 1.3.6.1.4.1.4203.666.1.90 NAME
Bind operation.[21]
'New_Attribute'
EQUALITY
caseIgnoreMatch
Clients can abort a session by simply closing the con- SUBSTR
caseIgnoreSubstringsMatch
SYNTAX
nection, but they should use Unbind.[22] Unbind allows 1.3.6.1.4.1.1466.115.121.1.15{1024} ) ... objectClass (
the server to gracefully close the connection and free re- 1.3.6.1.4.1.4203.666.1.100 NAME 'New_Class DESC
sources that it would otherwise keep for some time until 'Desc' SUP inetOrgPerson STRUCTURAL MAY (
discovering the client had abandoned the connection. It New_Attribute $ ... other attribute names separated by $
also instructs the server to cancel operations that can be ... ) )
canceled, and to not send responses for operations that
2. Create a conguration le (say, abc.conf) and add the
cannot be canceled.[23]
path of the schema le in it
LDAP URLs
include
/etc/ldap/schema/inetorgperson.schema
...
(other required object classes) include
/path_to_new_schema_le/abc.schema
An LDAP URL format exists, which clients support in 3. Create a new directory (or use an existing one) and
varying degrees, and servers return in referrals and con- run the slaptest command to generate the ldif le in that
tinuation references (see RFC 4516):
directory for the new conf le
ldap://host:port/DN?attributes?scope?filter?extensions
Most of the components described below are optional.
New
ldif
le
is
created
in
Destina host is the FQDN or IP address of the LDAP server tion_directory/cn=cong/cn=schema/cn={0}abc.ldif
to search.
4. change the le cn={0}abc.ldif:
port is the network port (default port 389) of the replace
LDAP server.
8 VARIATIONS
dn: cn={0}abc
by
dn: cn=abc, cn=schema, cn=cong
and remove the structural entries.
5. Add the ldif le to LDAP using ldapadd command
For example, an entry representing a person might be-f long to the classes top and person. Membership in
the person class would require the entry to contain the
sn and cn attributes, and allow the entry also to contain userPassword, telephoneNumber, and other at7 Schema
tributes. Since entries may have multiple ObjectClasses
values, each entry has a complex of optional and mandaThe contents of the entries in a subtree are governed by tory attribute sets formed from the union of the object
a directory schema, a set of denitions and constraints classes it represents. ObjectClasses can be inherited, and
concerning the structure of the directory information tree a single entry can have multiple ObjectClasses values that
dene the available and required attributes of the entry it(DIT).
self. A parallel to the schema of an objectClass is a class
The schema of a Directory Server denes a set of rules
denition and an instance in Object-oriented programthat govern the kinds of information that the server can
ming, representing LDAP objectClass and LDAP entry,
hold. It has a number of elements, including:
respectively.
sudo ldapadd -x -D
/path_to_ldif_le/abc.ldif
cn=cong
-W
Attribute SyntaxesProvide information about the Directory servers may publish the directory schema conkind of information that can be stored in an attribute. trolling an entry at a base DN given by the entrys subschemaSubentry operational attribute. (An operational
Matching RulesProvide information about how to attribute describes operation of the directory rather than
make comparisons against attribute values.
user information and is only returned from a search when
Matching Rule UsesIndicate which attribute it is explicitly requested.)
types may be used in conjunction with a particular Server administrators can add additional schema entries
matching rule.
in addition to the provided schema elements. A schema
for representing individual people within organizations is
Attribute TypesDene an object identier (OID)
termed a white pages schema.
and a set of names that may be used to refer to a
given attribute, and associates that attribute with a
syntax and set of matching rules.
Object ClassesDene named collections of attributes and classify them into sets of required and
optional attributes.
8 Variations
Name FormsDene rules for the set of attributes A lot of the server operation is left to the implementor or
administrator to decide. Accordingly, servers may be set
that should be included in the RDN for an entry.
up to support a wide variety of scenarios.
Content RulesDene additional constraints about
the object classes and attributes that may be used in For example, data storage in the server is not specied the server may use at les, databases, or just be a gateconjunction with an entry.
way to some other server. Access control is not standard Structure RuleDene rules that govern the kinds ized, though there has been work on it and there are comof subordinate entries that a given entry may have. monly used models. Users passwords may be stored in
their entries or elsewhere. The server may refuse to perAttributes are the elements responsible for storing infor- form operations when it wishes, and impose various limmation in a directory, and the schema denes the rules its.
for which attributes may be used in an entry, the kinds Most parts of LDAP are extensible. Examples: One can
of values that those attributes may have, and how clients dene new operations. Controls may modify requests and
may interact with those values.
responses, e.g. to request sorted search results. New
Clients may learn about the schema elements that the search scopes and Bind methods can be dened. Atserver supports by retrieving an appropriate subschema tributes can have options that may modify their semansubentry.
tics.
12 References
[1] Network Working Group RFC 4511. IETF.org. 200606-01. Retrieved 2014-04-04.
[2] Directory Services LDAP.
2014-04-04.
Oracle.com.
Retrieved
10
Usage
11
See also
[13] http://www.linuxcommand.org/man_pages/ldapsearch1.
html
[14] SASL Mechanisms at IANA
[15] RFC4511: delete request
[16] Boreham Draft (numSubordinates)
[17] Modify Section of RFC4511
[18] Zeilenga, K.. Lightweight Directory Access Protocol
(LDAP) Read Entry Controls. IETF. RFC 4527. https:
//tools.ietf.org/html/rfc4527.
[19] INTERNET-DRAFT LDAP Transactions draft-zeilengaldap-txn-15.txt
[21] Tools.ietf.org
[22] Tools.ietf.org
14
[23] Tools.ietf.org
[24] Creating object classes and attributes. http://www.
yolinux.com. Retrieved 22 September 2014.
[25] Openldap.org
[26] SourceForge : Project Home
12.1
Notes
EXTERNAL LINKS
14 External links
Devshed.com, Understanding LDAP, A simple,
light introductory tutorial for LDAP.
Skills-1st.co.uk, LDAP schema design
Capitalhead.com, Troubleshooting LDAP SSL connection issues between Microsoft ILM/MIIS &
Novell eDirectory 8.7.3
Prasannatech.com, LDAP schema design - A Case
Study
13
Further reading
RFC 4514 - LDAP: String Representation of Distinguished Names (Obsoletes RFC 2253)
Donley, C (2002). LDAP Programming, Management, and Integration. Manning Publications. ISBN
1-930110-40-5.
14.1
RFCs
RFC 2849 - The LDAP Data Interchange Format LDAPv2 was specied in the following RFCs:
(LDIF)
RFC 1777 - Lightweight Directory Access Protocol
RFC 2891 - Server Side Sorting of Search Results
(replaced RFC 1487)
RFC 3045 - Storing Vendor Information in the
RFC 1778 - The String Representation of Standard
LDAP root DSE
Attribute Syntaxes (replaced RFC 1488)
RFC 3062 - LDAP Password Modify Extended Op RFC 1779 - A String Representation of Distineration
guished Names (replaced RFC 1485)
RFC 3296 - Named Subordinate References in
LDAP Directories
LDAPv2 was moved to historic status by the following
RFC:
RFC 3671 - Collective Attributes in LDAP
RFC 3672 - Subentries in LDAP
RFC 3673 - LDAPv3: All Operational Attributes
RFC 3687 - LDAP Component Matching Rules
RFC 3698 - LDAP: Additional Matching Rules
RFC 3829 - LDAP Authorization Identity Controls
RFC 3866 - Language Tags and Ranges in LDAP
RFC 3909 - LDAP Cancel Operation
RFC 3928 - LDAP Client Update Protocol
RFC 4370 - LDAP Proxied Authorization Control
RFC 4373 - LBURP
10
15
15
15.1
15.2
Images
15.3
Content license