LDAP stands for Lightweight Directory Access Protocol. It is a lightweight client-server protocol for accessing directory services. It runs over TCP/IP or other connection oriented transfer services.
Similar to database, but contain more descriptive, attribute-based information. It has some features:
- Read much more often than it is written.
- Directories are tuned to give quick response to high volume look up or search operations.
- Have the ability to replicate information widely in order to increase availability and reliability
LDAP directory serve base on a client-server model. One or more LDAP servers contain the data making up the LDAP directory tree or LDAP backend database. An LDAP client connects to an LDAP server and asks it a question. The server responds with the answer, or with a pointer to where the client can get more information (typically, another LDAP server). No matter what LDAP server a client connects to, it sees the same view of the directory; a name presented to one LDAP server references the same entry it would at another LDAP server. This is an important feature of a global directory service, like LDAP.
The protocol provides an interface with directories that follow the x.500 model:
An entry consists of a set of attributes
An attribute has a name(an attribute type or attribute description) and one or more values. Attrs are defined in a schema.
Each entry has a unique identifier - distinguished Name(DN).This consists of its Relative Distinguished Name (RDN), constructed from some attribute(s) in the entry, followed by the parent entry’s DN.
dn: cn=John Doe,dc=example,dc=com
cn: John Doe
telephoneNumber: +1 888 555 6789
telephoneNumber: +1 888 555 1232
manager: cn=Barbara Doe,dc=example,dc=com
"dn" is the distinguished name of the entry; it is neither an attribute nor a part of the entry.
"cn=John Doe" is the entry’s RDN (Relative Distinguished Name), and
"dc=example,dc=com" is the DN of the parent entry, where
'Domain Component'. The other lines show the attributes in the entry. Attribute names are typically mnemonic strings, like
"cn" for common name,
"dc" for domain component,
"mail" for e-mail address, and
"sn" for surname.
A server holds a subtree starting from a specific entry, e.g.
"dc=example,dc=com" and its children. Servers may also hold references to other servers, so an attempt to access
"ou=department,dc=example,dc=com" could return a referral or continuation reference to a server that holds that part of the directory tree. The client can then contact the other server. Some servers also support chaining, which means the server contacts the other server and returns the results to the client.
LDAP rarely defines any ordering: The server may return the values of an attribute, the attributes in an entry, and the entries found by a search operation in any order. This follows from the formal definitions - an entry is defined as a set of attributes, and an attribute is a set of values, and sets need not be ordered.