Introduction to OpenLDAP
The Lightweight Directory Access Protocol, or LDAP, is a protocol for querying and modifying an X.500-based directory service running over TCP/IP. The current LDAP version is LDAPv3, as defined in RFC 4510, and the implementation used in Ubuntu is OpenLDAP.
The LDAP protocol accesses directories. It’s common to refer to a directory as an LDAP directory or LDAP database as a shorthand – although technically incorrect, this shorthand is so widely used
that it’s understood as such.
Key concepts and terms
-
A directory is a tree of data entries that is hierarchical in nature; it is called the Directory Information Tree (DIT).
-
An entry consists of a set of attributes.
-
An attribute has a key (a name or description) and one or more values. Every attribute must be defined in at least one objectClass.
-
Attributes and objectClasses are defined in schemas (an objectClass is considered a special kind of attribute).
-
Each entry has a unique identifier: its Distinguished Name (DN or dn). This, in turn, consists of a Relative Distinguished Name (RDN) followed by the parent entry’s DN.
-
The entry’s DN is not an attribute. It is not considered part of the entry itself.
Note:
The terms object, container, and node have certain connotations but they all essentially mean the same thing as entry (the technically correct term).
For example, below we have a single entry consisting of 11 attributes where the following is true:
-
DN is
cn=John Doe,dc=example,dc=com -
RDN is
cn=John Doe -
parent DN is
dc=example,dc=com
dn: cn=John Doe,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 888 555 6789
telephoneNumber: +1 888 555 1232
mail: john@example.com
manager: cn=Larry Smith,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
The above entry is in LDAP Data Interchange Format format (LDIF). Any information that you feed into your DIT must also be in such a format. It is defined in RFC 2849.
A directory accessed via LDAP is good for anything that involves a large number of access requests to a mostly-read, attribute-based (name:value) backend, and that can benefit from a hierarchical structure. Examples include an address book, company directory, a list of email addresses, and a mail server’s configuration.
Our OpenLDAP guide
For users who want to set up OpenLDAP, we recommend following our series of guides in this order:
- Install and configure LDAP
- LDAP Access Control
- LDAP users and groups
- SSL/TLS
- Replication
- Backup and restore
References
- The OpenLDAP administrators guide
- RFC 4515: LDAP string representation of search filters
- Zytrax’s LDAP for Rocket Scientists; a less pedantic but comprehensive treatment of LDAP
Older references that might still be useful: - O’Reilly’s LDAP System Administration (textbook; 2003)
- Packt’s Mastering OpenLDAP (textbook; 2007)