For those unfamiliar with LDAP, an introduction to some of the basic concepts is provided here. The intent is to give you enough to get started with simple LDAP integrations. Full administration of LDAP directories is beyond the scope of this article.
Directories
LDAP — Lightweight Directory Access Protocol — provides a standard mechanism for software to query a directory service. A directory service, or just directory, is a database of people and related information. Examples of popular LDAP-compatible directories include OpenLDAP and Microsoft Active Directory.
LDAP is derived from portions of the X.500 family of standards, published by the ITU. (The same family originated the X.509 certificate standards.)
Objects
LDAP presents a tree-structured collection of objects. LDAP objects include users, groups, cities, countries, organizations, organizational units (OUs), domains, and more.
Common Names
Most LDAP objects have a Common Name (CN), which is a brief name for the object. CNs are not guaranteed to be unique, and do not specify a location within the directory. For example, a CN might be John Smith — and just like the human name, that CN alone may not be enough to uniquely identify a person in a large organization.
Distinguished Names
Every object has a Distinguished Name (DN) which uniquely identifies the object and its location in the LDAP tree. In this way, a DN is similar to a file path or a web URL. DNs are unique and unambiguous. For example, the DN CN=John Smith,L=Paris,C=France,DC=example,DC=com might specify the same example person, but by providing locality (L), country (C), and domain context (DC), they are distinguished from other people with the same common name.
Organizational Units
Organizational units (OUs) are often used to represent the institution's management structure, and/or to collect related objects together for easier administration. They are somewhat analogous to file folders. OUs can be nested, and contribute to the tree structure of LDAP.
As examples: There may be OUs for departments, like "Accounting", "Sales", and "Manufacturing". There may be OUs for object types, "Users", "Groups", and "Computers". There may be OUs for different divisions — say, "Entertainment" and "Kitchen" for an appliance manufacturer — with OUs within each for "Accounting", and then OUs under each "Accounting" for "Users".
Given the above examples, one possible DN might be:
CN=John Smith,OU=Users,OU=Accounting,OU=Kitchen Appliances,DC=example,DC=com.
Groups
LDAP groups can contain users and other groups. Groups are typically used to assign permissions or roles. For example, a group might be granted permission to read a file system folder, and then appropriate users placed in that group. Unlike OUs, groups are independent from the LDAP tree structure. Also unlike OUs, a user can be a member of multiple groups.
Groups generally have CNs and DNs, just like users. For example: CN=payrollread,OU=Groups,OU=Accounting,OU=Kitchen Appliances,DC=example,DC=com
Transports
The most common transport protocol for LDAP is TCP. The original LDAP protocol was unencrypted, putting all data in clear-text on the wire; encryption was added in a later revision. The most commonly used TCP ports are:
| Port | Description |
|---|---|
| 389 | Original (unencrypted) |
| 636 | TLS (encrypted) |
| 1389 | Alternative to 389 (unencrypted) |
| 1636 | Alternative to 636 (TLS) |
The alternative ports use an unprivileged port (greater than 1024), which is useful in some scenarios.
Further reading
- Lightweight Directory Access Protocol at Wikipedia
- What is lightweight directory access protocol (LDAP) authentication? at Red Hat
- OpenLDAP — A popular open source implementation of LDAP