Check out the new USENIX Web site. next up previous
Next: Why Choose LDAP? Up: Title Page Previous: Introduction

Executive Overview of LDAP

The Lightweight Directory Access Protocol is an Internet standard that brings X.500 Directory services to the Internet. Implementations of LDAP provide for a structured database with entries, referred to as ``objects,'' formed by single-word character key and multi-word/-line character value pairs. A few special attributes provide for binary data values. A standard set of keys are well defined in the LDAP standard and can be considered as user friendly, for the most part. In general, the keys are usually abbreviations of an LDAP attribute name. For example, two common keys, or attributes, are dn, Distinguished Name (DN), and cn, Common Name (CN).

Many of the LDAP attributes are used to store, human readable information about people and organizations. The attributes usually identify something specific about a person or organization such as an electronic mail address (mail), or a commonly used name, nickname, or pseudonym for a person, organization, or organizational unit (cn), or computer userid (uid).

The basic LDAP implementation usually provides for clear text password authentication only. This means that when an LDAP client is required to send a password to an LDAP server, that the password is not encrypted, but is sent as plain or clear text. Some specific implementations or site provided add-on programs may provide for secure client, or user, authentication using Secure Sockets Layer (SSL) or other mechanisms, but this is not yet a function of the LDAPv2 protocol itself. Authentication is the process of sending a user-identifying data string, commonly an LDAP Distinguished Name from an LDAP database object entry, and its associated password string. This is normally required only when updating an LDAP database entry. Most LDAP queries are performed without any authentication, and appear to the LDAP server as a ``null'' or undefined user or client. User/client authentication is independent of access control mechanisms, ACL lists (see Section 10).

Some descriptions of LDAP liken it to an electronic telephone book, or ``yellow pages'' directory, though that is only part of what LDAP can be used for. LDAP databases are most often organized in a tree or hierarchical structure. A large structure may be distributed over more than one LDAP server, and may include references to other LDAP servers, providing for a distributed directory service.


next up previous
Next: Why Choose LDAP? Up: Title Page Previous: Introduction
Jim Dutton
2000-04-24