Introduction to OpenLDAP

The Lightweight Directory Access Protocol, or LDAP, is a protocol for querying and modifying an X.500-based directory service running over TCP/IP. The current LDAP version is LDAPv3, as defined in RFC 4510, and the implementation used in Ubuntu is OpenLDAP.

The LDAP protocol accesses directories. It’s common to refer to a directory as an LDAP directory or LDAP database as a shorthand – although technically incorrect, this shorthand is so widely used that it’s understood as such.

Key concepts and terms

• A directory is a tree of data entries that is hierarchical in nature; it is called the Directory Information Tree (DIT).

• An entry consists of a set of attributes.

• An attribute has a key (a name or description) and one or more values. Every attribute must be defined in at least one objectClass.

• Attributes and objectClasses are defined in schemas (an objectClass is considered a special kind of attribute).

• Each entry has a unique identifier: its Distinguished Name (DN or dn). This, in turn, consists of a Relative Distinguished Name (RDN) followed by the parent entry’s DN.

• The entry’s DN is not an attribute. It is not considered part of the entry itself.

Note: The terms object, container, and node have certain connotations but they all essentially mean the same thing as entry (the technically correct term).

For example, below we have a single entry consisting of 11 attributes where the following is true:

• DN is cn=John Doe,dc=example,dc=com

• RDN is cn=John Doe

• parent DN is dc=example,dc=com

 dn: cn=John Doe,dc=example,dc=com
 cn: John Doe
 givenName: John
 sn: Doe
 telephoneNumber: +1 888 555 6789
 telephoneNumber: +1 888 555 1232
 mail: [email protected]
 manager: cn=Larry Smith,dc=example,dc=com
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top

The above entry is in LDAP Data Interchange Format format (LDIF). Any information that you feed into your DIT must also be in such a format. It is defined in RFC 2849.

A directory accessed via LDAP is good for anything that involves a large number of access requests to a mostly-read, attribute-based (name:value) backend, and that can benefit from a hierarchical structure. Examples include an address book, company directory, a list of email addresses, and a mail server’s configuration.

Our OpenLDAP guide

For users who want to set up OpenLDAP, we recommend following our series of guides in this order:

• Install and configure LDAP

• LDAP Access Control

• LDAP users and groups

• SSL/TLS

• Replication

• Backup and restore

References

• The OpenLDAP administrators guide

• RFC 4515: LDAP string representation of search filters

• Zytrax’s LDAP for Rocket Scientists; a less pedantic but comprehensive treatment of LDAP Older references that might still be useful:

• O’Reilly’s LDAP System Administration (textbook; 2003)

• Packt’s Mastering OpenLDAP (textbook; 2007)