LDAP Client APIs

In the LDAP client-server model, directory servers make information about people, organizations, and resources accessible to LDAP client applications. LDAP defines operations that clients use to search and update the directory. An LDAP client can perform these operations, among others:

  • Search for and retrieve entries from the directory
  • Add new entries to the directory
  • Update entries in the directory
  • Delete entries from the directory
  • Rename entries in the directory

For example, to update an entry, an LDAP client submits the distinguished name (DN) of the entry with updated attribute information to the LDAP server. The LDAP server uses the distinguished name to find the entry. The server then performs a modify operation to update the entry in the directory.

To perform any of these LDAP operations, an LDAP client needs to establish a connection with an LDAP server. The LDAP protocol specifies the use of TCP/IP port number 389, although servers can listen on other ports, such as 636 for LDAP/SSL for example.

The LDAP protocol also defines a simple method for authentication. LDAP servers can be set up to restrict permissions to the directory. Before an LDAP client can perform an operation on an LDAP server, the client must authenticate to the server. Clients typically authenticate by supplying a distinguished name and password. If the user identified by the distinguished name does not have permission to perform the operation, the server does not execute the operation.

On the web you can find free LDAP directory client software development kits for creating your own LDAP clients.


  • Java Naming and Directory Interface (JNDI) technology supports directory access through LDAP and DSML from Java applications, and is part of the Java platform. With JNDI, you can build powerful, portable, directory-enabled applications that do not depend on classes outside the Java platform. The upside is that you do not need to install additional client libraries. JNDI provides an abstract model that lets you access not only directories, but also naming services in general, including DNS, RMI, COS, and file systems. The downside is that even if you already know LDAP, you still have to learn JNDI. The JNDI Tutorial contains descriptions and examples of how to use JNDI. The tutorial is at http://java.sun.com/products/jndi/tutorial/.
  • The Mozilla LDAP Java SDK offers an API that is more readily comprehensible than JNDI if you already know LDAP. The API was the subject of Internet-Draft work that did not result in a standard. The code is published in open source form as part of the Mozilla Directory SDK project. See http://www.mozilla.org/directory/.
  • LDAP SDK for Java from UnboundID provides a recent Java implementation of an LDAP API, with additional features not available in older Java APIs. For more, see http://www.unboundid.com/products/ldapsdk/.
  • LDAP Classes for Java follow the Internet-Draft work. Novell makes the LDAP Classes for Java available through their developer community. See http://developer.novell.com/wiki/index.php/LDAP_Classes_for_Java.


  • The Mozilla LDAP C SDK, also based on the Internet-Draft work that did not become a standard, is available on a wide range of platforms. The Mozilla LDAP C SDK also provides support for core LDAP operations, and for LDAP v3 extensions and widely used controls. Sun Directory Server uses this API, as does the address book applications associated with Firefox. (Try a valid LDAP URL in your browser.)  Mozilla LDAP C SDK code is published in open source form as part of the Mozilla Directory SDK project. See http://www.mozilla.org/directory/.
  • OpenLDAP C API  Many GNU/Linux distributions provide OpenLDAP support. The OpenLDAP C API is based on an Internet-Draft for that never became a standard. The API closely follows LDAPv3, providing support for core LDAP operations and for LDAPv3 extensions and widely used controls. LDAP support for languages such as PHP and Python is available through wrappers for OpenLDAP. For an introduction to the OpenLDAP API, see the LDAP(3) man page.
  • Solaris LDAP C API  The native LDAP library on Solaris systems provides nearly the same API as the Mozilla C SDK. Many clients need only be recompiled to work with Solaris libldap. The LDAP library on Solaris systems is not however compatible with libldap from OpenLDAP. For an introduction to the Solaris OS libldap library, see the ldap(3LDAP) man page. (Thanks for reading my non-cross-platform plug. ;-)



PHP can be compiled with LDAP wrappers for the OpenLDAP C implementation. You must download the OpenLDAP libraries to use the PHP LDAP API. See http://php.net/manual/en/book.ldap.php.


The python-ldap package wraps the OpenLDAP C implementation, with additional capabilities to handle LDIF, LDAP URLs, and so forth. See http://www.python-ldap.org/.

Other Languages

The list here is a start. A number of other languages also provide LDAP support. Ruby has the Ruby/LDAP extension module. An Objective-C LDAP framework is available. So is LDAP support in C#. There are no doubt others.

According to my own experience, when searching for a Java client API, I would rather recommand the Novell LDAP Classes for Java at least until either a relevant JSR is published or OpenDS 2.4 is released: according to its current roadmap, Opends 2.4 should propose a modern Java client API.

Novell's API removes the burdden of creating a whole context, since it's a high level API, in comparison with JNDI which is very low level. Of course, JNDI is more generic since it can be used for other types of repositories than LDAP, but in the LDAP world it usually lacks some high level features or makes them harder to code and implement.

Posted by Cyril GROSJEAN on January 15, 2010 at 10:32 AM CET #

Thanks, Cyril, for the comment regarding Novell's LDAP API.

Yes, the API for OpenDS is in progress and should be available for use soon. I know Ludovic Poitou has begun putting together some documentation on the OpenDS LDAP SDK, and added a top-level page at https://www.opends.org/wiki/page/LDAPSDK.

Posted by Mark Craig on January 18, 2010 at 02:53 AM CET #

Post a Comment:
  • HTML Syntax: NOT allowed

Mark Craig writes about Directory Services products and technologies. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.


« July 2016