What is LDAP
More about the Concepts
LDAP is the Lightweight Directory Access Protocol,also referred as X.500 (Which is a series of computer networking standards covering electronic directory services.) It is open source and uses standard mechanism for interacting with directory servers.
Directory servers is used to store a wide variety of information (network resources, users, groups and even access control). The most famous one would be Microsoft’s Active Directory, but you can also find some others like the Oracle Internet Directory, and even famous open source one’s like Apache Directory or OpenLDAP.
A directory service (server by extension) is a general term, for example the DNS is the first directory service on the internet. So the directory servers we are interested in are the one that implements the LDAP protocol.
LDAP usually refers to the directory server implementing the LDAP protocol.
LDAP is very hierarchical with a tree like data structure. It makes it very fast to read and slower to write.
An example of a LDAP directory information tree (DIT) could look like:
dc=org └── dc=spring └── dc=example ├── ou=groups │ ├── cn=developers │ └── cn=sysadmin └── ou=people ├── uid=ben ├── uid=bob └── uid=joe
Since it a tree, you can see a main branch
This could be considered as the base branch of the LDAP structure.
The leaves are the entry, for example bob:
- The complete path which unambiguously identifies is called distinguished name or DN and is
- A single node along the path to this entry is called relative distinguished name or RDN (We can have RDN
String X.500 AttributeType ------------------------------ CN commonName L localityName ST stateOrProvinceName O organizationName OU organizationalUnitName C countryName STREET streetAddress DC domainComponent UID userid
An attribute is a map of
key: value in the entry.
Search with ldapsearch
One of the best tools to explore your LDAP, is by using the tool ldapsearch. It is a commandline tool that should already be in most default distribution of Linux based OS.
Here is an example:
ldapsearch -x \ -H ldap://ldap.example.org \ # ldap url -b "ou=groups,dc=example,dc=spring,dc=org" \ # ldap branch -D "uid=bob,ou=people,dc=example,dc=spring,dc=org" \ # ldap bind user -w password # ldap bind password ("cn=developers") # The search filter
Find more usage examples on oracle documentation. The result are returned in the LDIF format.
LDIF is the LDAP Data Interchange Format from rfc2849. It can be used to export and import ldap entries. The possibility are wides.
Here is an example of our top branch with the dc; Domain Component:
dn: dc=example,dc=spring,dc=org objectClass: top objectClass: domain dc: spring
Here would be how you define the ou; Organizational Units:
dn: ou=groups,dc=example,dc=spring,dc=org objectclass: top objectclass: organizationalUnit ou: groups
Here is an example of a user defined by its userId (we could use the cn; Common Name as well in the dn; distinguished name):
dn: uid=bob,ou=people,dc=example,dc=spring,dc=org objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Bob Hamilton sn: Hamilton uid: bob userPassword: bobspassword
Here we can have a group with its members.
dn: cn=developers,ou=groups,dc=example,dc=spring,dc=org objectclass: top objectclass: groupOfUniqueNames cn: developers ou: developer uniqueMember: uid=ben,ou=people,dc=example,dc=spring,dc=org uniqueMember: uid=bob,ou=people,dc=example,dc=spring,dc=org
Find out more about LDIF on oracle documentation.
Actual LDAP Query
You can use a GUI or like SQL enter query to get information you want out of your LDAP directory server.
It is useful when you’d want to understand a
ldapsearch search filter.
But the syntax can be quite complicated, here would be an example for Microsoft’s AD implementation:
You can find more about the syntax in rfc4516 and hopefully make sense of it all for your own use case. LDAP is quite a widely used protocol so resources and help should not be too hard to get.
And finally some useful links if you want to implement it or better understand its data structure at the bytes level: