{"id":1668,"date":"2022-08-25T08:53:16","date_gmt":"2022-08-25T08:53:16","guid":{"rendered":"https:\/\/blog.amt.in\/?p=1668"},"modified":"2022-08-25T08:53:16","modified_gmt":"2022-08-25T08:53:16","slug":"introduction-to-lightweight-directory-access-protocol-ldap","status":"publish","type":"post","link":"https:\/\/blog.amt.in\/index.php\/2022\/08\/25\/introduction-to-lightweight-directory-access-protocol-ldap\/","title":{"rendered":"Introduction to Lightweight Directory Access Protocol (LDAP)"},"content":{"rendered":"<p>The\u00c2\u00a0Lightweight Directory Access Protocol\u00c2\u00a0(LDAP)\u00c2\u00a0is an open, vendor-neutral, industry standard\u00c2\u00a0application protocol\u00c2\u00a0for accessing and maintaining distributed\u00c2\u00a0directory information services\u00c2\u00a0over an\u00c2\u00a0Internet Protocol\u00c2\u00a0(IP) network.\u00c2\u00a0Directory services\u00c2\u00a0play an important role in developing\u00c2\u00a0intranet\u00c2\u00a0and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.\u00c2\u00a0As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate\u00c2\u00a0email\u00c2\u00a0directory. Similarly, a\u00c2\u00a0telephone directory\u00c2\u00a0is a list of subscribers with an address and a phone number.<\/p>\n<p>LDAP is specified in a series of\u00c2\u00a0Internet Engineering Task Force\u00c2\u00a0(IETF) Standard Track publications called\u00c2\u00a0Request for Comments\u00c2\u00a0(RFCs), using the description language\u00c2\u00a0ASN.1.<\/p>\n<p>A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users.<\/p>\n<p>LDAP is based on a simpler subset of the standards contained within the\u00c2\u00a0<a title=\"X.500\" href=\"https:\/\/en.wikipedia.org\/wiki\/X.500\">X.500<\/a>\u00c2\u00a0standard. Because of this relationship, LDAP is sometimes called X.500-lite.<\/p>\n<p>A client starts an LDAP session by connecting to an LDAP server, called a\u00c2\u00a0Directory System Agent\u00c2\u00a0(DSA), by default on\u00c2\u00a0TCP\u00c2\u00a0and\u00c2\u00a0UDP\u00c2\u00a0port\u00c2\u00a0389, or on port 636 for LDAPS (LDAP over SSL, see below).\u00c2\u00a0The client then sends an operation request to the server, and a server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order. All information is transmitted using\u00c2\u00a0Basic Encoding Rules\u00c2\u00a0(BER).<\/p>\n<p>The client may request the following operations:<\/p>\n<ul>\n<li>StartTLS \u00e2\u20ac\u201c use the LDAPv3\u00c2\u00a0Transport Layer Security\u00c2\u00a0(TLS) extension for a secure connection<\/li>\n<li>Bind \u00e2\u20ac\u201c\u00c2\u00a0authenticate\u00c2\u00a0and specify LDAP protocol version<\/li>\n<li>Search \u00e2\u20ac\u201c search for and\/or retrieve directory entries<\/li>\n<li>Compare \u00e2\u20ac\u201c test if a named entry contains a given attribute value<\/li>\n<li>Add a new entry<\/li>\n<li>Delete an entry<\/li>\n<li>Modify an entry<\/li>\n<li>Modify Distinguished Name (DN) \u00e2\u20ac\u201c move or rename an entry<\/li>\n<li>Abandon \u00e2\u20ac\u201c abort a previous request<\/li>\n<li>Extended Operation \u00e2\u20ac\u201c generic operation used to define other operations<\/li>\n<li>Unbind \u00e2\u20ac\u201c close the connection (not the inverse of Bind)<\/li>\n<\/ul>\n<p>In addition the server may send &#8220;Unsolicited Notifications&#8221; that are not responses to any request, e.g. before the connection is timed out.<\/p>\n<p>A common alternative method of securing LDAP communication is using an\u00c2\u00a0SSL\u00c2\u00a0tunnel. The default port for LDAP over SSL is 636. The use of LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003.\u00c2\u00a0Global Catalog is available by default on ports 3268, and 3269 for LDAPS.<\/p>\n<p>As LDAP has gained momentum, vendors have provided it as an access protocol to other services. The implementation then recasts the data to mimic the LDAP\/X.500 model, but how closely this model is followed varies. For example, there is software to access\u00c2\u00a0SQL\u00c2\u00a0databases through LDAP, even though LDAP does not readily lend itself to this.\u00c2\u00a0X.500 servers may support LDAP as well.<\/p>\n<p>Similarly, data previously held in other types of data stores are sometimes moved to LDAP directories. For example, Unix user and group information can be stored in LDAP and accessed via\u00c2\u00a0PAM\u00c2\u00a0and\u00c2\u00a0NSS\u00c2\u00a0modules. LDAP is often used by other services for authentication and\/or authorization (what actions a given already-authenticated user can do on what service). For example in Active Directory Kerberos is used in the authentication step, while LDAP is used in the authorization step.<\/p>\n<p>An example of such data model is the GLUE Schema,\u00c2\u00a0which is used in a distributed information system based on LDAP that enable users, applications and services to discover which services exist in a Grid infrastructure and further information about their structure and state.<\/p>\n<p>An LDAP server may return referrals to other servers for requests that it cannot fulfill itself. This requires a naming structure for LDAP entries so one can find a server holding a given distinguished name (DN), a concept defined in the X.500 Directory and also used in LDAP. Another way of locating LDAP servers for an organization is a DNS\u00c2\u00a0server record\u00c2\u00a0(SRV).<\/p>\n<p>An organization with the domain example.org may use the top level LDAP DN\u00c2\u00a0<code>dc=example,dc=org<\/code>\u00c2\u00a0(where\u00c2\u00a0<i>dc<\/i>\u00c2\u00a0means domain component). If the LDAP server is also named ldap.example.org, the organization&#8217;s top level LDAP URL becomes\u00c2\u00a0<code>ldap:\/\/ldap.example.org\/dc=example,dc=org<\/code>.<\/p>\n<p>Primarily two common styles of naming are used in both X.500 [2008] and LDAPv3. These are documented in the ITU specifications and IETF RFCs. The original form takes the top level object as the country object, such as\u00c2\u00a0<code>c=US<\/code>,\u00c2\u00a0<code>c=FR<\/code>. The domain component model uses the model described above. An example of country based naming could be\u00c2\u00a0<code>l=Locality, ou=Some Organizational Unit, o=Some Organization, c=FR<\/code>, or in the US:\u00c2\u00a0<code>cn=Common Name, l=Locality, ou=Some Organizational Unit, o=Some Organization, st=CA, c=US<\/code>.<\/p>\n<p>The above is a brief about LDAP. Watch this space for more updates on the latest trends in Technology.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The\u00c2\u00a0Lightweight Directory Access Protocol\u00c2\u00a0(LDAP)\u00c2\u00a0is an<\/p>\n","protected":false},"author":1,"featured_media":1670,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[745,912,7],"tags":[746,913,18],"class_list":["post-1668","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-protocol","category-lightweight-directory-access-protocol-ldap","category-techtrends","tag-internet-protocol","tag-lightweight-directory-access-protocol-ldap","tag-technology"],"_links":{"self":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts\/1668","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/comments?post=1668"}],"version-history":[{"count":1,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts\/1668\/revisions"}],"predecessor-version":[{"id":1669,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts\/1668\/revisions\/1669"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/media\/1670"}],"wp:attachment":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/media?parent=1668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/categories?post=1668"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/tags?post=1668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}