Specifications
Security Options 77
Chapter 5
LDAP
LDAP (Lightweight Directory Access Protocol) is a lightweight protocol for
accessing directory services. A directory is a specialized database optimized
for searching, reading and browsing. Directories tend to contain descriptive,
attribute-based information. LDAP is specifically geared towards X.500 based
directory services and runs over TCP/IP.
LDAP Background
The LDAP information model is based on entries, where an entry is a
collection of attributes. An attribute has a type and one or more values. A
type is typically a mnemonic string, for example, “cn” for Common Name, or
“mail” for Email Address. The syntax of an attribute’s value depends on the
type of the attribute. It can be a string, for example, the value “John Doe” for
“cn”, or a binary JPEG format value for an attribute, say “jpegPhoto”. LDAP
allows the administrator to control the attributes in an entry through the use
of a special attribute called objectClass. An objectClass defines the attributes
for an entry, and specifies which attributes are required, and which ones are
optional. In addition to the attributes that comprise an entry, protection and
privacy mechanisms for an entry can be specified in LDAP. Access rights for
performing the read/write/search operations on the entry can be defined for
each entry.
In LDAP, the directory entries are organized in a hierarchical tree-like structure.
Traditionally, this structure reflected the geographic and/or organizational
boundaries. For example, entries representing countries appear at the top of
the tree. Below them are entries representing states and national
organizations. Below them may be entries representing organizational units,
people, printers, documents etc. An example LDAP directory for an
organization is shown below.