OpenLDAP introduction

The Lightweight Directory Access Protocol, or LDAP, is a protocol for querying and modifying a X.500-based directory service running over TCP/IP. The current LDAP version is LDAPv3, as defined in RFC 4510, and the implementation used in Ubuntu is OpenLDAP.

The LDAP protocol accesses directories. It’s common to refer to a directory an LDAP directory or LDAP database as a shorthand – although technically incorrect, this shorthand is so widely used
that it’s understood as such.

Key concepts and terms

  • A directory is a tree of data entries that is hierarchical in nature and is called the Directory Information Tree (DIT).

  • An entry consists of a set of attributes.

  • An attribute has a key (a name/description) and one or more values.

  • Every attribute must be defined in at least one objectClass.

  • Attributes and objectClasses are defined in schemas (an objectClass is considered as a special kind of attribute).

  • Each entry has a unique identifier: its Distinguished Name (DN or dn). This, in turn, consists of a Relative Distinguished Name (RDN) followed by the parent entry’s DN.

  • The entry’s DN is not an attribute. It is not considered part of the entry itself.

Note:
The terms object, container, and node have certain connotations but they all essentially mean the same thing as entry (the technically correct term).

For example, below we have a single entry consisting of 11 attributes where the following is true:

  • DN is “cn=John Doe,dc=example,dc=com”

  • RDN is “cn=John Doe”

  • parent DN is “dc=example,dc=com”

 dn: cn=John Doe,dc=example,dc=com
 cn: John Doe
 givenName: John
 sn: Doe
 telephoneNumber: +1 888 555 6789
 telephoneNumber: +1 888 555 1232
 mail: john@example.com
 manager: cn=Larry Smith,dc=example,dc=com
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top

The above entry is in LDIF format (LDAP Data Interchange Format). Any information that you feed into your DIT must also be in such a format. It is defined in RFC 2849.

Such a directory accessed via LDAP is good for anything that involves a large number of access requests to a mostly-read, attribute-based (name:value) backend, and that can benefit from a hierarchical structure. Examples include an address book, company directory, a list of email addresses, and a mail server’s configuration.

References

Older references that might still be useful:

1 Like