Lightweight Directory Access Protocol

from Wikipedia, the free encyclopedia
LDAP in the TCP / IP protocol stack :
application LDAP
transport UDP TCP
Internet IP ( IPv4 , IPv6 )
Network access Ethernet Token
bus 		Token
ring 		FDDI ...

The Lightweight Directory Access Protocol ( LDAP ), German as Lightweight Directory Access Protocol , is a network protocol for querying and modifying information distributed directory services . Its current and third version is specified in RFC 4510 to RFC 4532 and the actual protocol in RFC 4511 .

The standard port for unsecured connections is 389 and the standard port for TLS connections (LDAPS) is 636 .

overview

LDAP is based on the client-server model and comes in so-called directory services (English directories or directory services ) are used. It describes the communication between the LDAP client and the directory ( Directory ) Server. Object-related data, such as personal data or computer configurations, can be read from such a directory. Communication takes place on the basis of queries.

The directory can contain an address book, for example: A user triggers the search for Joe User’s e-mail address in his or her e-mail client . The e-mail client formulates an LDAP query to the directory that provides the address information. The directory formulates the answer and sends it to the client: joe.user@example.org .

In the meantime, it has become common in administrative parlance to speak of an LDAP server . This means a directory server whose data structure corresponds to the LDAP specification and which can exchange data using the LDAPv3 protocol, which was specified in RFC 2251 .

The protocol offers all functions that are necessary for such communication: logging on to the server ( bind ), the search query ( please search for all information on the user with the name "Joe User" ) and the modification of the data (change the user's password Joe User ).

Newer implementations that go beyond RFC 2251 and are the subject of a possible extension of the protocol take into account the replication of data between different directories.

It should be noted that "directory" is meant in the sense of a telephone book and not in the sense of "file folder".

history

LDAP was developed at the University of Michigan (UMich) and was first proposed in RFC 1487 in 1993 . At the same time, UMich presented the first server implementation, which is known today as "UMich-LDAP". LDAP is a simplified alternative to the Directory Access Protocol (DAP), which is specified as part of the X.500 standard. The X.500 standard is very extensive and is based on a complete ISO / OSI stack , which made implementation difficult and hardware-intensive. LDAP was developed with the aim of making directory services simpler and therefore more popular. LDAP is based on a TCP / IP stack and only implements a selection of the DAP functions and data types. As a result, LDAP could also be implemented on workstation computers from the early 1990s and gained a broad application base.

LDAP and X.500

LDAP is an access mechanism according to X.500 and externally defined on its data models and service models. In the background, however, LDAP allows everything open and any directory system. There is also no specification of the LDAP on a specific substructure such as TCP and UDP or IP. Where X.500 requires several consecutive messages in its Directory Access Protocol (DAP), a single combined message can suffice in LDAP.

functionality

LDAP directory entry

To get an overview of how an LDAP architecture works, it is necessary to distinguish between the organization of the LDAP directory and the LDAP protocol .

LDAP directory

The data structure of an LDAP directory is given by a hierarchical tree with roots, branches and leaves. This tree is also called the Directory Information Tree (DIT). The root ( root , suffix ) is the topmost data object, below it the higher structures branch. Example: If an LDAP directory is used in a company with the name ACME , the organization can be defined as the root: o = acme .

People can be stored in branches below this root: ou = people, o = acme

Groups can be stored in other branches below the root: ou = groups, o = acme

So that the organization of the data does not happen arbitrarily, each LDAP directory uses a certain, standardized and possibly extended structure. The structure is defined by the scheme used . An LDAP schema defines object classes with their attributes, such as the person class or the organization class .

The directory entries are called LDAP objects . Each object belongs to at least one, but usually to several classes. For example, the data of a person, their email address and their passwords do not require three objects, but rather the same object belongs to three classes. In this example these could be person, inetOrgPerson and POSIX account.

There are three types of object classes: Since an object must belong to at least one structural class, this is the default setting. There are also auxiliary classes that can be used to assign the same attributes to different types of objects. Last but not least, there are also abstract base classes from which no objects, only subordinate base classes can be created.

Each object is independent and composed of attributes. A single object is uniquely identified by the Distinguished Name (DN), such as uid = juser, ou = People, ou = webdesign, c = de, o = acme . This is made up of individual Relative Distinguished Names (RDN). Another way of writing the DN is the canonical name , which does not contain any attribute tags such as ou or c and in which the RDNs are separated by slashes. In addition, in contrast to the dn, the sequence begins with the top entry, for example acme / de / webdesign / People / juser .

Each attribute of an object has a specific type and one or more values. The type designations of the attributes are usually easy to remember abbreviations such as cn for common name , ou for organizational unit , st for state , c for country or mail for e-mail address . The permitted values ​​of an attribute depend on the type. A mail attribute could contain the address hans.wurst@example.com , whereas a jpegPhoto attribute would save a photo as binary data in JPEG format . The attributes defined in the object class can be either mandatory or optional.

The objects are stored in a hierarchical structure that reflects political, geographical or organizational boundaries. The largest units are placed at the root of the directory tree , which fans out further and further down. While objects which themselves contain objects as container objects are referred to the "ends" Hot tree leaf objects .

Tree structure of the LDAP content

When individual LDAP servers are responsible for individual parts of the directory tree, one speaks of partitions . If a client makes a request for which the server is not responsible, the server can refer the client to another server. LDAP servers can be set up redundantly . A master-slave configuration is often used for this. If a client tries to change data on a slave server, it is referred to the master. The changes on the master server are then passed on to all slave servers.

Since there are many different schemas in use in different versions, the notion of a "global" all-inclusive LDAP directory is not real. LDAP servers are used as a central directory service for different purposes in different sizes, but the object hierarchy is usually limited to one organization.

protocol

LDAP is an application layer protocol based on the DoD four-layer model used for TCP and works by means of precisely specified access processes:

bind
The bind directive is used to inform the directory server via a dn who would like to carry out access (either anonymously, via password authentication or otherwise)
baseDN
The BaseDN defines where the search for certain objects should be started in the directory tree. This search can be set to a search via
  • exactly this object (base)
  • this object and everything under it (sub)
  • one level below the BaseDN (one)

Otherwise, the necessary search specifications such as search operator (example (& (mail = joe *) (ou = People)) ), server name ( e.g. ldap.acme.com ) or port name apply .

Example of an LDAP search query using a simple command line program:

ldapsearch -h ldap.acme.com -p 389 -s sub -D "cn=Directory Manager,o=acme" -W -b "ou=personen,o=acme" "(&(mail=joe*)(c=germany))" mail

Explanation: The command line program contacts the directory server ldap.acme.com( port 389 ) via LDAP and logs on Directory Managersto this system via the account of the , whereby the password is requested interactively ( -W). The request targets all user entries (below the branch ou=personen,o=acme) and searches for people from Germany whose email address joebegins with ( (&(mail=joe*)(c=germany))). If people are found who match this filter, their email address is returned ( mail).

Applications

LDAP is used in many areas these days, for example:

LDAP and database models

LDAP acts as a front end to hierarchical databases . However, LDAP per se is not a database, but merely the protocol for communication.

Potential problems

No normal forms
LDAP acts as a front end to hierarchical databases. This structure does not enforce normal forms, for example multivalued attributes can be allowed.
Query language
Of the relational operations projection (column selection), selection (row selection), cross product (JOIN), column renaming (Rename, AS) and aggregation (GROUP BY), LDAP only supports projection without generating calculated attributes and selection. There are no operations analogous to the join or a "dereference this DN" operator, a rename and thus a self-join does not exist, and aggregation must be coded out with loops in the client. In contrast to SQL, the LDAP query language is not an algebra, it lacks closure. Query results from LDAP queries are not LDAP trees but sets of nodes, and the LDAP query language does not re-apply to LDAP results to refine the results.

Strengths and main areas of application of LDAP

Authorization and authentication
The LDAP protocol and the LDAP server are optimized for authentication (password check), authorization (rights check) and address book searches. The fast connection and disconnection, the simply structured protocol and the short query language ensure fast processing.
Fast read access
Due to its non-normalized data storage, all data of an LDAP data record can be accessed very quickly because all data can be read out immediately with a single read access.
Distributed data storage
LDAP offers distributed data storage such as redundant local data storage at distributed locations, loosely coupled replication for data synchronization between the locations and extremely high availability without complex configuration or high costs.
Flexible, fully object-oriented data model
LDAP inherits the object-oriented data model from the X.500 standard. This means that LDAP directories can be flexibly adapted to volatile requirements without losing functionality already implemented in the directory.
Broad application support
LDAP is the industry de facto standard for authentication, authorization and user and address directories. Most software products that have to deal with user data and have market relevance support LDAP as a protocol.

LDAP software

LDAP server

Many manufacturers offer LDAP servers, for example:

LDAP clients

Client software allows access to the directory data, for example:

  • cURL : An open source command line tool that supports the LDAP protocol.
  • Active Directory Explorer : A free LDAP client from Sysinternals for Windows
  • JXplorer : An open source client developed in Java.
  • LDAP Browser : A free LDAP client for Windows
  • LDAP Administrator : An advanced LDAP administration tool designed to work with almost all LDAP servers including Active Directory, Novell Directory Services, Netscape / iPlanet, etc.
  • LDAP Admin : An LDAP client designed to work under Windows.
  • Apache Directory Studio : A cross-platform client developed in Java by the Apache Software Foundation.
  • GQ : A client developed in GTK + / GTK2 under GPL for GNU / Linux .
  • LDAP Account Manager : LDAP Account Manager is a web front end for managing various account types in an LDAP directory. It was written in PHP.
  • Luma : A client application for Linux developed in QT4. The use of plugins enables easy management of user accounts, address books, etc.
  • phpLDAPadmin : A cross-platform web-based client developed under GPL in PHP for easy management of LDAP directories.
  • FusionDirectory : A GPL-licensed web application developed in PHP to easily manage LDAP directories and all related services.
  • ldap-csvexport : A GPL-licensed, Perl-based command line tool for exporting LDAP data as CSV with many features.
  • ldap-preg_replace : A GPL-licensed, Perl-based command line tool for changing attributes with regular expressions in bulk .

See also

literature

  • Dieter Klünter, Jochen Laser: Understanding LDAP, using OpenLDAP . Basics and practical use. dpunkt.verlag, Heidelberg 2007, ISBN 978-3-89864-263-7 .
  • Gerald Carter: LDAP System Administration . O'Reilly, 2003.

Web links

Individual evidence

  1. Expert (s): Service Name and Transport Protocol Port Number Registry . Ed .: iana.org. ( Online ).
  2. ^ Justin Parisi: LDAP :: LDAP Servers and Clients - Part 5. In: Why Is The Internet Broken? July 29, 2015, accessed February 26, 2018 .
  3. Chapter 22. Basics of networking / 22.9. LDAP - A directory service. In: Administration Guide. SUSE LINUX, accessed February 26, 2018 .
  4. ^ Frank-Michael Schlede, Thomas Baer / Andreas Donner: What is LDAP (Lightweight Directory Access Protocol)? In: IP Insider. Vogel IT-Medien GmbH, August 1, 2017, accessed on February 26, 2018 .
  5. Holger Kattner: Creating LDAP queries. In: Computerwoche - TEC Workshop. IDG Business Media GmbH, September 1, 2006, accessed on February 26, 2018 .
  6. Choosing an LDAP server. (No longer available online.) In: LDAP.com. UnboundID, 2015, archived from the original on February 27, 2018 ; accessed on February 26, 2018 (English). Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.ldap.com
  7. 18. Replication. In: OpenLDAP. OpenLDAP Foundation, 2011, accessed February 26, 2018 .
  8. ^ The Most Complete History of Directory Services You Will Ever Find. April 13, 2012, accessed February 26, 2018 .
  9. Petra Haberer: History and Versions of LDAP - 'Lightweight' Access to X.500. In: Understanding LDAP. MitLinX Internet services, accessed February 26, 2018 .
  10. About Lightweight Directory Access Protocol - What is LDAP? In: Microsoft Developer Network (MSDN). Microsoft, accessed February 26, 2018 .
  11. Kurt Zeilenga:  RFC 4510  - Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map . June 2006. p. 2. Standard: [Track]. (Replaces RFC 3771 - Internet Engineering Task Force  - English).
  12. ^ Jim Sermersheim:  RFC 4511  - Lightweight Directory Access Protocol (LDAP): The Protocol . [Errata: RFC 4511 ]. June 2006. p. 5. Standard: [Track]. (Replaces RFC 3771 - English).
  13. ^ Margaret Rouse: Lightweight Directory Access Protocol (LDAP). In: Search Networkling.de. TechTarget Germany GmbH, June 2014, accessed on February 26, 2018 .
  14. Directory Information Tree. In: LDAP Setup and Configuration Guide. Oracle Corporation, 2010, accessed February 26, 2018 .
  15. ^ DIT and the LDAP Root DSE. (No longer available online.) In: LDAP.com. UnboundID, 2015, archived from the original on February 27, 2018 ; accessed on February 26, 2018 (English). Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.ldap.com
  16. Petra Haberer: Scheme, object classes and directory entries. In: LDAP Object Classes and Schemas. mitlinx.de, accessed on February 28, 2018 .
  17. Philip Foeckeler: LDAP objects in the directory search (ADO). In: SelfADSI - SelfADSI ADSI Scripting / LDAP Scripting Tutorial. Retrieved March 1, 2018 .
  18. Thomas Bendler, Steffen Dettmer: 2 A small introduction to LDAP. In: The Lightweight Directory Access Protocol. Retrieved March 1, 2018 .
  19. Philipp Föckeler: Read LDAP object attributes. In: SelfADSI - SelfADSI ADSI Scripting / LDAP Scripting Tutorial. Retrieved March 1, 2018 .
  20. Philip Foeckeler: LDAP path - Distinguished Names. In: SelfADSI - SelfADSI ADSI Scripting / LDAP Scripting Tutorial. Retrieved March 1, 2018 .
  21. ^ Oracle: Distinguished Names and Relative Distinguished Names. In: Understanding the LDAP Binding Component. Retrieved March 2, 2018 .
  22. ^ Microsoft: Canonical-Name attribute. In: Microsoft Developer Network (MSDN). Retrieved March 2, 2018 .
  23. Patrick Schnabel: Directory Services (X.500) - Objects (X.500). In: Electronics Compendium. Retrieved March 2, 2018 .
  24. ^ The Apache Software Foundation: 1.4.3 - Adding your own partition. In: Apache Directory. 2018, accessed March 2, 2018 .
  25. RFC 1959 - An LDAP URL format. Network Working Group, accessed May 14, 2020 .