Introduction to LDAP

Table of Contents

1. What is LDAP?

LDAP stands for "Lightweight Directory Access Protocol". It is a TCP/IP
implementation of the X.500 DAP/OSI protocol.

Note: X.500 = DAP (DAP is just an older, non-standard name).

A Directory is just a database that usually follows these properties:

  • designed for reading more than writing
  • offers a static view of the data
  • simple updates without transactions

A Directory Service adds a network protocol used to access the
directory, on top of the above. We’ve all used a directory service in
the past day: DNS!

LDAP is defined by RFC 1777 ( Some
common points of the standard are:

  • a network protocol for accessing information in the directory
  • an information model defining the form and character of the
  • a namespace defining how information is referenced and organized
  • an emerging distributed operation model defining how data may be
    distributed and referenced
  • designed-in extensibility

2. What good is LDAP?

A Directory holds information. It doesn’t matter what type: text,
photos, urls, pointers to whatever, binary data, public key
certificates, etc. (Note here that the particular LDAP server you use
may have limitations.)

There are different contexts for a Directory (and Directory Service).

  • LOCAL – only for a subset of machines/users/etc.
  • GLOBAL – can be accessed by anyone

LDAP is a vendor-independent, platform-independent protocol…this means
interconnection is easy! (The Internet, for instance.) Also because of
this same reason, translating from LDAP to another protocol/system is

Currently existing gateways:

  • LDAP to X.500 (and vice versa)
  • HTTP to LDAP
  • WHOIS++ to LDAP
  • E-mail to LDAP
  • ODBC to LDAP
  • and more!!!

Concrete example:
Address books usually use LDAP to store the book on a centralized
server and then pull down the information when requested. Netscape
Communicator uses this model. (Microsoft Exchange/Outlook does
something similar, but Microsoft hacks the protocol some.)

When the user pulls up his/her address book, the request is sent to
the LDAP server. This server then returns each entry in the book in
a standard format, similar to using XML.

3. Schemas

The Directory is actually a distributed, tree-like structure. Every
entry in the directory has a distinguished name (DN) which uniquely
identifies that entry. The DN can be generated by concatenating the
relative distinguished names (RDNs) of entries higher up in the tree.


If you notice, the RDNs are all of the form parameter>=value>. The
idea behind a schema is related in the following flow chart (read it
like a CFG):

root := root country
| root locality
| root organization
| (epsilon).

country := locality

| organization.

locality := organizational_unit.

organization := organizational_unit.

organizational_unit := organizational_unit container
| (epsilon).

[Here a container is the base object, holding extremely specific]
[data, like a person's name, a department's budget, etc.]

A really good reference for learning about schemas for use in LDAP can
be found at:

4. Using LDAP in your shtuff

There is no "way" to use LDAP. It’s more of a methodology:

Each language usually has its own hooks into LDAP.

C has a whole API suite.

Java uses the Java Naming and Directory Interface

A good step-by-step HOWTO can be found in Chapter 4 of IBM’s Redbook: It uses
the C API to walk through accessing a LDAP server.

5. OpenSource Projects

OpenLDAP is perhaps the best known due to naming popularity and
similarities. The project consists of a stand-alone LDAP server, a
replication server, and client-application libraries. The latest
version is 2.1.8 as of this writing.

Installing and using OpenLDAP is fairly straight-forward. There is a
great online/HTML HOW-TO available from OpenLDAP’s site:

6. Other OS Projects

7. Resources