Introduction to OpenLDAP

Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.

The Lightweight Directory Access Protocol, or LDAP, is a protocol for querying and modifying an X.500-based directory service running over TCP/IP. The current LDAP version is LDAPv3, as defined in RFC 4510, and the implementation used in Ubuntu is OpenLDAP.

The LDAP protocol accesses directories. It’s common to refer to a directory as an LDAP directory or LDAP database as a shorthand – although technically incorrect, this shorthand is so widely used
that it’s understood as such.

Key concepts and terms

  • A directory is a tree of data entries that is hierarchical in nature; it is called the Directory Information Tree (DIT).

  • An entry consists of a set of attributes.

  • An attribute has a key (a name or description) and one or more values. Every attribute must be defined in at least one objectClass.

  • Attributes and objectClasses are defined in schemas (an objectClass is considered a special kind of attribute).

  • Each entry has a unique identifier: its Distinguished Name (DN or dn). This, in turn, consists of a Relative Distinguished Name (RDN) followed by the parent entry’s DN.

  • The entry’s DN is not an attribute. It is not considered part of the entry itself.

Note:
The terms object, container, and node have certain connotations but they all essentially mean the same thing as entry (the technically correct term).

For example, below we have a single entry consisting of 11 attributes where the following is true:

  • DN is cn=John Doe,dc=example,dc=com

  • RDN is cn=John Doe

  • parent DN is dc=example,dc=com

 dn: cn=John Doe,dc=example,dc=com
 cn: John Doe
 givenName: John
 sn: Doe
 telephoneNumber: +1 888 555 6789
 telephoneNumber: +1 888 555 1232
 mail: john@example.com
 manager: cn=Larry Smith,dc=example,dc=com
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top

The above entry is in LDAP Data Interchange Format format (LDIF). Any information that you feed into your DIT must also be in such a format. It is defined in RFC 2849.

A directory accessed via LDAP is good for anything that involves a large number of access requests to a mostly-read, attribute-based (name:value) backend, and that can benefit from a hierarchical structure. Examples include an address book, company directory, a list of email addresses, and a mail server’s configuration.

Our OpenLDAP guide

For users who want to set up OpenLDAP, we recommend following our series of guides in this order:

References

1 Like