The Lightweight Directory Access Protocol (LDAP) is an application protocol for querying and modifying data of directory services implemented in Internet Protocol (IP) networks.
A directory is a set of objects with attributes organized logically in a hierarchical manner. A simple example is the telephone directory, which consists of a list of names (of either persons or organizations) organized alphabetically, with each name having an address and phone number associated with it.
A directory information tree often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use Domain Name System (DNS) names for structuring the topmost levels of the hierarchy. Deeper inside the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else that represents a given tree entry (or multiple entries).
The latest version of LDAP is Version 3, which is specified in a series of Internet Engineering Task Force (IETF) Standard Track Requests for comments (RFCs) as detailed in RFC 4510
A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default onTCP port 389. The client then sends an operation request to the server, and the server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order.
The client may request the following operations:
§ Start TLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection
§ Bind — authenticate and specify LDAP protocol version
§ Search — search for and/or retrieve directory entries
§ Compare — test if a named entry contains a given attribute value
§ Add a new entry
§ Delete an entry
§ Modify an entry
§ Modify Distinguished Name (DN) — move or rename an entry
§ Abandon — abort a previous request
§ Extended Operation — generic operation used to define other operations
§ Unbind — close the connection (not the inverse of Bind)
In addition the server may send "Unsolicited Notifications" that are not responses to any request, e.g. before it times out a connection.
A common alternate method of securing LDAP communication is using an SSL tunnel. This is denoted in LDAP URLs by using the URL scheme "ldaps". The default port for LDAP over SSL is 636. The use of LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003.
LDAP is defined in terms of ASN.1, and protocol messages are encoded in the binary format BER. It uses textual representations for a number of ASN.1 fields/types, however.
Directory structure
dn: cn=John Doe,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 888 555 6789
telephoneNumber: +1 888 555 1232
mail: john@example.com
manager: cn=Barbara Doe,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top