Introduction to LDAP Protocol
LDAP (Lightweight Directory Access Protocol) is a network based protocol used by various suppliers of systems to provide directory services
LDAP Session
A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA). The client then sends an operation request to the server, and the server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order.
The client may request the following operations:
Operation | Description |
|---|---|
StartTLS | Use Transport Layer Security (TLS) extension for a secure connection |
Bind | Authenticate and specify LDAP protocol version |
Search | Search for and/or retrieve directory entries |
Compare | Test if a named entry contains a given attribute value |
Add | Add a new entry |
Delete | Delete an entry |
Modify | Modify an entry |
Modify Distinguished Name (DN) | Move or rename an entry |
Abandon | Abort a previous request |
Extended Operation | Generic operation used to define other operations |
Unbind | Close the connection (Not the inverse of "Bind") |
Directory structure:
The protocol provides an interface with directories:
An entry consists of a set of attributes.
An attribute has a name (an attribute type or attribute description) and one or more values. The attributes are defined in a schema (see below).
Each entry has a unique identifier: its Distinguished Name (DN). This consists of its Relative Distinguished Name (RDN), constructed from some attribute(s) in the entry, followed by the parent entry's DN. Think of the DN as the full file path and the RDN as its relative filename in its parent folder.
A DN may change over the lifetime of the entry, for instance, when entries are moved within a tree.
"dn" is the Distinguished Name of the entry, and as said above it's composed of "cn=Jan Jansen", the entry's RDN and "dc=example,dc=com" is the DN of the parent entry, it is not considered as an attribute.
Mnemonic string | Attribute |
|---|---|
dc | Domain Component |
cn | Common Name |
sn | Surname |