Protocol: LDAP ( Lightweight Directory Access Protocol )

LDAP ( Lightweight Directory Access Protocol )

Update: 2005-12-08 16:14:12 I have words to say about this protocol

On this page

SUMMARY
DESCRIPTION
EXAMPLES
PROTOCOL RELATIONS
GLOSSARY
REFERENCES
OTHER PROTOCOLS

SUMMARY
Protocol	:	Lightweight Directory Access Protocol
Protocol suite	:	TCP/IP
Layer	:	Session Layer
Type	:	Session layer directory service access protocol
Ports	:	389 (TCP)
Related protocols	:	IP, IPv6, TCP, X.500, DAP
URI	:	ldap:.
Working groups	:	Asid, Access, Searching and Indexing of Directories. Ldapbis, LDAP (v3) Revision. Ldapext, LDAP Extension. Ldup, LDAP Duplication/Replication/Update Protocols.

DESCRIPTION

The LDAP (Lightweight Directory Access Protocol) provides access to X.500 directories without using the DAP (Directory Access Protocol). It is used for simple management applications and browser applications that provide simple read/write interactive access to the X.500 directory and should complement the DAP. X.500 technology has proved to be highly popular, and therefore led to efforts to reduce the high cost of entry associated with it. Until now methods suggested were based on specific applications and, as such, were limited. The LDAP is also a directory protocol alternative, but it is not dependant on a particular application. As such it is intended to be simpler and less expensive than existing ones.

LDAP works by a client transmitting a request to a server. In the request the client specifies the operation to be performed. The server must then perform the required operation on the directory. After this, the server returns a response containing the results, or any errors.

Key aspects of LDAP version 3 are:

All protocol elements of LDAPv2 are supported.

The protocol is carried directly over TCP or other transport, bypassing much of the session/presentation overhead of X.500 DAP.

Most protocol data elements can be encoded as ordinary strings.

Referrals to other servers may be returned.

SASL mechanisms may be used with LDAP to provide association security services.

Attribute values and Distinguished Names have been internationalized through the use of the ISO 10646 character set.

The protocol can be extended to support new operations, and controls may be used to extend existing operations.

Schema is published in the directory for use by clients.

Model

Protocol Model
The general model adopted by this protocol is one of clients performing protocol operations against servers. In this model, a client transmits a protocol request describing the operation to be performed to a server. The server is then responsible for performing the necessary operation(s) in the directory. Upon completion of the operation(s), the server returns a response containing any results or errors to the requesting client.

In LDAP versions 1 and 2, no provision was made for protocol servers returning referrals to clients. However, for improved performance and distribution this version of the protocol permits servers to return to clients referrals to other servers. This allows servers to offload the work of contacting other servers to progress operations.

Note that the core protocol operations defined in this document can be mapped to a strict subset of the X.500(1997) directory abstract service, so it can be cleanly provided by the DAP. However there is not a one-to-one mapping between LDAP protocol operations and DAP operations: server implementations acting as a gateway to X.500 directories may need to make multiple DAP requests.

Data Model
The LDAP protocol assumes there are one or more servers which jointly provide access to a Directory Information Tree (DIT). The tree is made up of entries. Entries have names: one or more attribute values from the entry form its relative distinguished name (RDN), which MUST be unique among all its siblings. The concatenation of the relative distinguished names of the sequence of entries from a particular entry to an immediate subordinate of the root of the tree forms that entry's Distinguished Name (DN), which is unique in the tree.

An example of a Distinguished Name is CN=Steve Kille, O=Isode Limited, C=GB

Relationship to X.500
This document defines LDAP in terms of X.500 as an X.500 access mechanism. An LDAP server MUST act in accordance with the X.500(1993) series of ITU recommendations when providing the service. However, it is not required that an LDAP server make use of any X.500 protocols in providing this service, e.g. LDAP can be mapped onto any other directory system so long as the X.500 data and service model as used in LDAP is not violated in the LDAP interface.

Server-specific Data Requirements
An LDAP server MUST provide information about itself and other information that is specific to each server. This is represented as a group of attributes located in the root DSE (DSA-Specific Entry), which is named with the zero-length LDAPDN. These attributes are retrievable if a client performs a base object search of the root with filter "(objectClass=*)", however they are subject to access control restrictions. The root DSE MUST NOT be included if the client performs a subtree search starting from the root.

Elements of Protocol
The LDAP protocol is described using Abstract Syntax Notation 1 (ASN.1), and is typically transferred using a subset of ASN.1 Basic Encoding Rules. In order to support future extensions to this protocol, clients and servers must ignore elements of sequence encodings whose tags they do not recognize.

Note that unlike X.500, each change to the LDAP protocol other than through the extension mechanisms will have a different version number. A client will indicate the version it supports as part of the bind request. If a client has not sent a bind, the server must assume that version 3 is supported in the client (since version 2 required that the client bind first).

Clients may determine the protocol version a server supports by reading the supported LDAP Version attribute from the root DSE. Servers which implement version 3 or later versions must provide this attribute. Servers which only implement version 2 may not provide this attribute.

Common Elements
LDAPMessage envelope PDU (Protocol Data Unit) format, as well as data type definitions which are used in the protocol operations.

Bind Operation
The function of the Bind Operation is to allow authentication information to be exchanged between the client and server.
The Bind Request is defined as follows:

          BindRequest ::= [APPLICATION 0] SEQUENCE {

            version       INTEGER (1 .. 127),

            name        LDAPDN,

            authentication    AuthenticationChoice }



         AuthenticationChoice ::= CHOICE {

            simple      [0] OCTET STRING,

                     -- 1 and 2 reserved

            sasl        [3] SaslCredentials }



          SaslCredentials ::= SEQUENCE {

            mechanism     LDAPString,

            credentials     OCTET STRING OPTIONAL }

Unbind Operation
The function of the Unbind Operation is to terminate a protocol session. The Unbind Operation is defined as follows:
UnbindRequest ::= [APPLICATION 2] NULL

The Unbind Operation has no response defined. Upon transmission of an UnbindRequest, a protocol client may assume that the protocol session is terminated. Upon receipt of an UnbindRequest, a protocol server may assume that the requesting client has terminated the session and that all outstanding requests may be discarded, and may close theconnection.

Unsolicited Notification
An unsolicited notification is an LDAPMessage sent from the server to the client which is not in response to any LDAPMessage received by the server. It is used to signal an extraordinary condition in the server or in the connection between the client and the server. The notification is of an advisory nature, and the server will not expect any response to be returned from the client.

The unsolicited notification is structured as an LDAPMessage in which the messageID is 0 and protocolOp is of the extendedResp form. The responseName field of the ExtendedResponse is present. The LDAPOID value MUST be unique for this notification, and not be used in any other situation.

Search Operation
The Search Operation allows a client to request that a search be performed on its behalf by a server. This can be used to read attributes from a single entry, from entries immediately below a particular entry, or a whole subtree of entries.

Protocol Mechanisms

OID	Type	Description
1.2.826.0.1.3344810.2.3	control	Matched Values Control.
1.2.840.113556.1.4.473	control	Sort Request.
1.2.840.113556.1.4.474	control	Sort Response.
1.3.6.1.1.7.1	control	LCUP Sync Request Control.
1.3.6.1.1.7.2	control	LCUP Sync Update Control.
1.3.6.1.1.7.3	control	LCUP Sync Done Control.
1.3.6.1.1.8	extension	Cancel Operation.
1.3.6.1.4.1.1466.101.119.1	extension	Dynamic Refresh.
1.3.6.1.4.1.1466.20037	extension	Start TLS.
1.3.6.1.4.1.4203.1.5.1	feature	All Operational Attributes.
1.3.6.1.4.1.4203.1.5.4	feature	Language Tag Options.
1.3.6.1.4.1.4203.1.5.5	feature	Language Range Options.
1.3.6.1.4.1.4203.1.9.1.1	control	LDAP Content Synchronization Control.
1.3.6.1.4.1.4203.1.10.1	control	Subentries.
1.3.6.1.4.1.4203.1.11.1	extension	Modify Password.
1.3.6.1.4.1.4203.1.11.3	extension	Who am I?
2.16.840.1.113730.3.4.2	control	Manage Dsa IT.
2.16.840.1.113730.3.4.15	control	Authorization Identity Response Control.
2.16.840.1.113730.3.4.16	control	Authorization Identity Request Control.

Top of Page

EXAMPLES

Suppose the contacted server (hosta) holds the entry "O=MNN,C=WW" and the entry 

"CN=Manager, O=MNN,C=WW". It knows that either LDAP-capable servers (hostb) or 

(hostc) hold "OU=People, O=MNN, C=WW" (one is the master and the other server a 

shadow), and that LDAP-capable server (hostd) holds the subtree "OU=Roles, O=MNN,

C=WW". If a subtree search of "O=MNN,C=WW" is requested to the contacted server, it 

may return the following:



          SearchResultEntry for O=MNN,C=WW

          SearchResultEntry for CN=Manager,O=MNN,C=WW

          SearchResultReference {

            ldap://hostb/OU=People,O=MNN,C=WW

            ldap://hostc/OU=People,O=MNN,C=WW

          }

        SearchResultReference {

            ldap://hostd/OU=Roles,O=MNN,C=WW

          }

          SearchResultDone (success)



Client implementors should note that when following a SearchResultReference, additional 

SearchResultReference may be generated. Continuing the example, if the client contacted 

the server(hostb) and issued the search for the subtree "OU=People, O=MNN,C=WW", 

the server might respond as follows:



          SearchResultEntry for OU=People,O=MNN,C=WW

          SearchResultReference {

           ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW

          }

          SearchResultReference {

           ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW

          }

          SearchResultDone (success)



If the contacted server does not hold the base object for the search, then it will 

return a referral to the client.  For example, if the client requests a subtree 

search of "O=XYZ, C=US" to hosta, the server may return only a SearchResultDone 

containing a referral.



          SearchResultDone (referral) {

            ldap://hostg/

          }

Top of Page

PROTOCOL RELATIONS

■ Parent layer
■ Child layer

TCP/UDP
LDAP

Top of Page

GLOSSARY

ASN.1
ASN.1 (Abstract Syntax Notation One) is a language that defines the way data is sent across dissimilar communication systems. ASN.1 ensures that the data received is the same as the data transmitted by providing a common syntax for specifying Application layer (program-to-program communications) protocols.

Client
Clinet is a program which requests services of another program. It is a client part of a client-server architecture. Typically, a client is an application that runs on a personal computer or workstation and relies on a server to perform some operations. For example, an e-mail client is an application that enables you to send and receive e-mail.

DAP
DAP (Directory Access Protocol) is a directory protocol that defines the exchange of requests and outcomes between user and system. The protocol used in communications between a Directory User Agent (DUA) and a Directory System Agent (DSA).

ISO
ISO (International Organization for Standardization) is a network of the national standards institutes of 146 countries, on the basis of one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO has defined a number of important computer standards, the most significant of which is perhaps OSI (Open Systems Interconnection), a standardized architecture for designing networks.

LDAP
LDAP (Lightweight Directory Access Protocol) is a set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access. Because it's a simpler version of X.500, LDAP is sometimes called X.500-lite.

Server
A computer or device on a network that manages network resources. For example, a file server is a computer and storage device dedicated to storing files. Any user on the network can store files on the server. A database server is a computer system that processes database queries. Servers are often dedicated, meaning that they perform no other tasks besides their server tasks. On multiprocessing operating systems, however, a single computer can execute several programs at once. A server in this case could refer to the program that is managing resources rather than the entire computer.

TCP
TCP (Transmission Control Protocol) is one of the main protocols in TCP/IP networks. TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.

X.500
X500 is an ISO and ITU standard that defines how global directories should be structured. X.500 directories are hierarchical with different levels for each category of information, such as country, state, and city. X.500 supports X.400 systems.

Top of Page

REFERENCES

Related links:
                LDAP Directory Systems Names
                LDAP parameters
                OpenLDAP

RFCs:
[RFC 1823] The LDAP Application Program Interface.
[RFC 1959] An LDAP URL Format.
[RFC 1960] A String Representation of LDAP Search Filters.
                Obsoletes: RFC 1558.
[RFC 2164] Use of an X.500/LDAP directory to support MIXER address mapping.
                Obsoletes: RFC 1838.
[RFC 2247] Using Domains in LDAP/X.500 Distinguished Names.
[RFC 2251] Lightweight Directory Access Protocol (v3).
                Updated by: RFC 3771.
[RFC 2252] Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions.
[RFC 2253] Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names.
                Obsoletes: RFC 1779.
[RFC 2254] The String Representation of LDAP Search Filters.
[RFC 2255] The LDAP URL Format.
                Defines URI scheme ldap:.
[RFC 2256] A Summary of the X.500(96) User Schema for use with LDAPv3.
[RFC 2307] An Approach for Using LDAP as a Network Information Service.
[RFC 2587] Internet X.509 Public Key Infrastructure LDAPv2 Schema.
[RFC 2589] Lightweight Directory Access Protocol (v3): Extensions for Dynamic Directory Services.
                Defines LDAP Protocol Mechanism 1.3.6.1.4.1.1466.101.119.1 (Dynamic Refresh).
[RFC 2649] An LDAP Control and Schema for Holding Operation Signatures.
[RFC 2657] LDAPv2 Client vs. the Index Mesh.
[RFC 2696] LDAP Control Extension for Simple Paged Results Manipulation.
[RFC 2713] Schema for Representing Java(tm) Objects in an LDAP Directory.
[RFC 2714] Schema for Representing CORBA Object References in an LDAP Directory.
[RFC 2739] Calendar Attributes for vCard and LDAP.
[RFC 2798] Definition of the inetOrgPerson LDAP Object Class.
                Updated by: RFC 3698.
[RFC 2820] Access Control Requirements for LDAP.
[RFC 2829] Authentication Methods for LDAP.
[RFC 2830] Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security.
                Defines LDAP Protocol Mechanism 1.3.6.1.4.1.1466.20037 ( Start TLS).
[RFC 2849] The LDAP Data Interchange Format (LDIF) - Technical Specification.
[RFC 2891] LDAP Control Extension for Server Side Sorting of Search Results.
                Defines LDAP Protocol Mechanism 1.2.840.113556.1.4.473 (Sort Request) and 1.2.840.113556.1.4.474 (Sort Response).
[RFC 2926] Conversion of LDAP Schemas to and from SLP Templates.
[RFC 2927] MIME Directory Profile for LDAP Schema.
[RFC 3045] Storing Vendor Information in the LDAP root DSE.
[RFC 3062] LDAP Password Modify Extended Operation.
                Defines LDAP Protocol Mechanism 1.3.6.1.4.1.4203.1.11.1 ( Modify Password).
[RFC 3088] OpenLDAP Root Service, An experimental LDAP referral service.
[RFC 3112] LDAP Authentication Password Schema.
[RFC 3296] Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories.
                Defines LDAP Protocol Mechanism 2.16.840.1.113730.3.4.2 (ManageDsaIT).
[RFC 3377] Lightweight Directory Access Protocol (v3): Technical Specification.
[RFC 3383] Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP).
[RFC 3384] Lightweight Directory Access Protocol (version 3) Replication Requirements.
[RFC 3494] Lightweight Directory Access Protocol version 2 (LDAPv2) to Historic Status.
                Obsoletes: RFC 1484, RFC 1485, RFC 1487, RFC 1488, RFC 1777, RFC 1778, RFC 1779, RFC 1781, RFC 2559.
[RFC 3663] Domain Administrative Data in Lightweight Directory Access Protocol (LDAP).
[RFC 3671] Collective Attributes in the Lightweight Directory Access Protocol (LDAP).
[RFC 3672] Subentries in the Lightweight Directory Access Protocol (LDAP).
                Defines LDAP Protocol Mechanism 1.3.6.1.4.1.4203.1.10.1 (Subentries).
[RFC 3673] Lightweight Directory Access Protocol version 3 (LDAPv3): All Operational Attributes.
                Defines LDAP Protocol Mechanism 1.3.6.1.4.1.4203.1.5.1 (All Operational Attributes).
[RFC 3674] Feature Discovery in Lightweight Directory Access Protocol (LDAP).
[RFC 3687] Lightweight Directory Access Protocol (LDAP) and X.500 Component Matching Rules.
[RFC 3698] Lightweight Directory Access Protocol (LDAP): Additional Matching Rules.
                Updates: RFC 2798.
[RFC 3703] Policy Core Lightweight Directory Access Protocol (LDAP) Schema.
                Updated by: RFC 4104.
                Defines SNMP MIB iso.org.dod.internet.directory.pcimSchema (1.3.6.1.1.6).
[RFC 3712] Lightweight Directory Access Protocol (LDAP): Schema for Printer Services.
[RFC 3727] ASN.1 Module Definition for the LDAP and X.500 Component Matching Rules.
[RFC 3771] The Lightweight Directory Access Protocol (LDAP) Intermediate Response Message.
                Updates: RFC 2251.
[RFC 3829] Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls.
                Defines LDAP Protocol Mechanism 2.16.840.1.113730.3.4.15 (Authorization Identity Response Control) and 2.16.840.1.113730.3.4.16 (Authorization Identity Request Control).
[RFC 3866] Language Tags and Ranges in the Lightweight Directory Access Protocol (LDAP).
                Defines LDAP Protocol Mechanism 1.3.6.1.4.1.4203.1.5.4 (Language Tag Options) and 1.3.6.1.4.1.4203.1.5.5 (Language Range Options).
                Obsoletes: RFC 2596.
[RFC 3876] Returning Matched Values with the Lightweight Directory Access Protocol version 3 (LDAPv3).
                Defines LDAP Protocol Mechanism 1.2.826.0.1.3344810.2.3 (Matched Values Control).
[RFC 3909] Lightweight Directory Access Protocol (LDAP) Cancel Operation.
                Defines LDAP Protocol Mechanism 1.3.6.1.1.8 (Cancel Operation).
[RFC 3928] Lightweight Directory Access Protocol (LDAP) Client Update Protocol (LCUP).
                Defines LDAP Protocol Mechanism 1.3.6.1.1.7.1 (LCUP Sync Request Control).
                Defines LDAP Protocol Mechanism 1.3.6.1.1.7.2 (LCUP Sync Update Control).
                Defines LDAP Protocol Mechanism 1.3.6.1.1.7.3 (LCUP Sync Done Control).
                Defines LDAP result codes 113 to 117.
[RFC 3944] H.350 Directory Services.
[RFC 4104] Policy Core Extension Lightweight Directory Access Protocol Schema (PCELS).
                Defines SNMP MIB iso.org.dod.internet.directory.pcelsSchema (1.3.6.1.1.9).
                Updates: RFC 3703.

Obsolete RFCs:
[RFC 1487] X.500 Lightweight Directory Access Protocol.
                Obsoleted by: RFC 1777, RFC 3494.
[RFC 1488] The X.500 String Representation of Standard Attribute Syntaxes.
                Obsoleted by: RFC 1778.
[RFC 1558] A String Representation of LDAP Search Filters.
                Obsoleted by: RFC 1960.
[RFC 1777] Lightweight Directory Access Protocol.
                Obsoleted by: RFC 3494.
                Obsoletes: RFC 1487.
[RFC 1778] The String Representation of Standard Attribute Syntaxes.
                Obsoleted by: RFC 3494.
                Updated by: RFC 2559.
                Obsoletes: RFC 1488.
[RFC 1779] A String Representation of Distinguished Names.
                Obsoleted by: RFC 2253, RFC 3494.
                Obsoletes: RFC 1485.
[RFC 1838] Use of the X.500 Directory to support mapping between X.400 and RFC 822 Addresses.
                Obsoleted by: RFC 2164.
[RFC 2559] Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2.
                Obsoleted by: RFC 3494.
                Updates: RFC 1778.
[RFC 2596] Use of Language Codes in LDAP.
                Obsoleted by: RFC 3866.
                Describes how language codes are carried in LDAP and are to be interpreted by LDAP servers.

Publications:
[ISBN 1578700000] LDAP: Programming Directory-Enabled Applications with Lightweight Directory Access Protocol.
[ISBN 1578700701] Understanding And Deploying LDAP Directory Services.

Top of Page

OTHER PROTOCOLS OF TCP/IP SUITE