LDAP (Lightweight Directory Access Protocol) is a protocol that enables organizations to arrange directory information in a hierarchy. Note that in this case, "directory" refers to a collection of information something like a telephone directory, not a collection of files in a folder on a disk drive.
An LDAP directory is, in essence, a database, which is usually a hierarchical structure, (although this is not a requirement). It offers performance advantages over conventional databases, and its operations are familiar to database users. LDAP supports a flat, or one-level, structure as readily as multiple levels. The illustration below shows a simplified tree of entries from the root level to the individual level.
The complexity and flexibility allowed in this structure is a key to LDAP's success. A directory's structure abstracts the structure of the organization it represents. Properly devising and maintaining this structure is the LDAP server administrator's responsibility. The type, quantity, and accessibility of the information for individual entries will obviously vary widely across organizations and their LDAP servers.
Following is a list of the common attributes:
Common LDAP Attributes | |
---|---|
Attribute | Name |
c | country |
st | state or province |
l | locality |
o | organization |
ou | organizational unit |
cn | common name |
sn | surname |
Following is a brief description of the LDAP information structure.
The basic information object of LDAP is the entry. An entry is composed of attributes, each of which has a type defining what information can be contained in the attribute's values and what behaviors the attribute exhibits during processing. Entries are subject to content rules that specify its required and optional attributes. Content rules can be defined in the syntax or on the LDAP server.
A naming convention for LDAP entries ensures compliance with the protocol regardless of the complexity of directory trees. LDAP name syntax begins at the entry level and specifies each level up to the root. In other words, it proceeds from the individual to the global. The Distinguished Name of an entry locates it in the directory tree. Each Distinguished Name (DN) is made up of Relative Distinguished Names (RDN) that contain one or more of the entry's attributes. As with file systems pathnames and URLs, entering the correct LDAP name format is essential to successful search operations.
Sets the limits of a search from the starting point of a query. The default is one level below the distinguished name specified in the Start attribute. If, for example, the Start attribute is "ou=support, o=allaire" the level below "support" is searched. You can optionally restrict a query to the level of the Start entry or extend it to the entire subtree.
While not supported directly in the LDAP2 standard, the ability of an LDAP server to refer a client query to another server is an attractive feature and has been implemented in the Netscape and University of Michigan servers. ColdFusion developers need to be aware of the possibilities for referrals when designing their query forms. You can pass the original login credentials to other servers that you may connect to when resolving a referral.
Extensions to the LDAP protocol are ongoing and it is widely supported in the Internet community. Additional material on LDAP is available from these sources: