In computer networking, the Lightweight Directory Access Protocol, or LDAP ("ell-dap"), is a networking protocol for querying and modifying directory services running over TCP/IP. An LDAP directory usually follows the X.500 model: it is a tree of entries, each of which consists of a set of named attributes with values. While some services use a more complicated "forest" model, the vast majority use a simple starting point for their database organization.
An LDAP directory often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use Domain Name System (DNS) names for structuring the topmost levels of the hierarchy. Further into the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else which represents a given tree entry, or multiple entries.
Protocol overview
A client starts an LDAP sess ion by connecting to an LDAP server, by default on TCP port 389. The client then sends operation requests to the server, and the server sends responses in return. With some exceptions the client need not wait for a response before sending the next request, and the server may then send the responses in any order.
The basic operations are, in order:
- Bind - authenticate, and specify LDAP protocol version,
- Start TLS - protect the connection with Transport Layer Security (TLS), to have a more secure connection,
- Search - search for and/or retrieve directory entries,
- Compare - test if a named entry contains a given attribute value,
- Add a new entry,
- Delete an entry,
- Modify an entry,
- Modify DN - move or rename an entry,
- Abandon - abort a previous request,
- Extended Operation - generic operation used to define other operations,
- Unbind - close the connection, not the inverse of Bind.
In addition the server may send "Unsolicited Notifications" that are not responses to any request, e.g. before it times out a connection.
A common alternate method of securing LDAP communication is using an SSL tunnel. This is denoted in LDAP URLs by using the URL scheme "ldaps". The standard port for LDAP over SSL is 636.
0 comments:
Post a Comment