Introduction to LDAP Protocol

LDAP (Lightweight Directory Access Protocol) is a network based protocol used by various suppliers of systems to provide directory services.

A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA). The client then sends an operation request to the server, and the server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order. 

The client may request the following operations:

StartTLSUse Transport Layer Security (TLS) extension for a secure connection
BindAuthenticate and specify LDAP protocol version
SearchSearch for and/or retrieve directory entries
CompareTest if a named entry contains a given attribute value
AddAdd a new entry
DeleteDelete an entry
ModifyModify an entry
Modify Distinguished Name (DN)Move or rename an entry
AbandonAbort a previous request
Extended OperationGeneric operation used to define other operations
UnbindClose the connection (Not the inverse of "Bind")

Directory structure:

The protocol provides an interface with directories:

  • An entry consists of a set of attributes.
  • An attribute has a name (an attribute type or attribute description) and one or more values. The attributes are defined in a schema (see below).
  • Each entry has a unique identifier: its Distinguished Name (DN). This consists of its Relative Distinguished Name (RDN), constructed from some attribute(s) in the entry, followed by the parent entry's DN. Think of the DN as the full file path and the RDN as its relative filename in its parent folder.

A DN may change over the lifetime of the entry, for instance, when entries are moved within a tree.

"dn" is the Distinguished Name of the entry, and as said above it's composed of "cn=Jan Jansen", the entry's RDN and "dc=example,dc=com" is the DN of the parent entry, it is not considered as an attribute.

Mnemonic stringAttribute
dcDomain Component
cnCommon Name