LDAP For Beginners

To get started with LDAP, you first need to know what a directory is. A directory is a specialized list that lets you quickly look up information about the things the directory references. For example, a telephone directory is an alphabetic list of people and organizations with phone numbers, and often addresses, too. A corporate directory is a database of people, network resources, organizations, and so forth. The corporate database probably holds not just phone numbers, but also other information like email addresses, employee and department numbers, and application configuration data. The corporate directory is managed by a directory server, which takes requests from client applications and serves them back directory data from the database.

LDAP, Lightweight Directory Access Protocol, provides a standard language that directory client applications and directory servers use to communicate with one another about data in directories. LDAP applications can search, add, delete and modify directory data. LDAP is a lightweight version of the earlier DAP, Directory Access Protocol, used by the International Organization for Standardization X.500 standard. DAP gives any application access to the directory through an extensible and robust information framework, but at a high administrative cost. DAP does not use the Internet standard TCP/IP protocol, has complicated directory naming conventions, and generally requires a big investment. LDAP preserves most features of DAP at lower cost. LDAP uses an open directory access protocol running over TCP/IP and uses simplified encoding methods. LDAP retains the X.500 standard data model and can support millions of entries for a comparatively modest investment in hardware and network infrastructure.

LDAP directories differ from relational databases. In LDAP, you do not look data up in tables. Instead, you look data up in trees, similar to the tree you get if you diagram the contents of a file system. The data is not in rows and columns, but in what are called entries. These entries are much like entries in the phone book. Entries may even actually contain phone numbers. Here is a text representation of an LDAP entry.

dn: uid=bjensen, ou=People, dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
sn: Jensen
givenname: Barbara
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: bjensen
mail: bjensen@example.com
telephonenumber: +1 408 555 1862
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 0209
userpassword: hifalutin

An LDAP entry is composed of attributes and their values. At the outset of the text representation you see the DN, Distinguished Name, uid=bjensen, ou=People, dc=example,dc=com. The DN is a distinguished name, because it distinguishes the entry from all others in the directory. You also see attributes like CN, Common Name, which takes values Barbara Jensen and Babs Jensen. You further see attributes like SN, surname, which takes the value Jensen, and mail, which takes the value bjensen@example.com.

You also see some objectClass attribute values. The objectClass attribute tells you what other attribute types the entry can have. Object class definitions are found in directory schema. Schema specify all the known object classes and attribute types available for entries in the directory. You can add schema definitions to LDAP directories, making the LDAP entries easily extensible.

When you want to look up something in a directory, you typically know the values of one of the attributes. By analogy, if you want to look up a phone number, you already know the name of the person or organization whose telephone number you want. If you are looking up a phone number, you also probably have some idea where the person or organization is located. The same is the case for LDAP directories. You typically need to have some idea where the entry is located.

For example, assume you want to look up Barbara Jensen’s phone number in the LDAP directory holding the entry shown previously. You need to know one of the attributes. In this case, you know Barbara’s name. You also need to know approximately where her entry is located. If you know that she is in the directory at Example.com, and that the root of their tree starts at dc=example,dc=com, that is enough.

There are GUI tools out there for LDAP lookups, but many systems also have a command called ldapsearch. You guessed it, ldapsearch is for searching LDAP directories. Here is an ldapsearch command that searches the entries under dc=example,dc=com for entries having common name Barbara Jensen.

$ ldapsearch -b dc=example,dc=com "(cn=Barbara Jensen)"

The argument to the -b option is the base DN for the search. By default, the ldapsearch command searches through all the entries in the tree below the base DN. The "(cn=Barbara Jensen)" is called the filter, because it tells me the criteria for filtering through the entries found under the base DN. If you have set everything up correctly, your search returns something very much like the entry shown above, except that you almost surely will not see the user password attribute and its value. You can also narrow the search results to see only the DN of the entry and the telephone number. You do this by adding the attribute or attributes you want returned after the filter.

$ ldapsearch -b dc=example,dc=com "(cn=Barbara Jensen)" telephoneNumber

If everything works as expected, this search returns a partial entry.

dn: uid=bjensen, ou=People, dc=example,dc=com
telephonenumber: +1 408 555 1862

Stay tuned for more.


I know that when I get comments and feed back it prompts me to write more, so I wanted to do the same for you :) I have found many of the blogs here at blog.sun.com very useful in my role as LDAP/Messaging guy, and I figure the more of you folks who write, the more information that is out there and available, especially for the darker nooks and crannies of the products. I also want to congratulate all the doc guys for doing such a good job making the docs so much better. I have been a user since the Netscape days and have seen a real improvement in the breadth and depth of the docs.

Posted by Michael Puskar on February 21, 2007 at 05:28 AM CET #

Hello Mr.Craig,

Thanks for a very well compiled and a crystal clear article on LDAP. I am a beginner and I liked the way you put your words. Please try to post something more.

Thanks a lot once again.

Posted by Rocky on May 23, 2009 at 04:57 AM CEST #

Its a really nice article... keep it up ! :)
Can you post some more info also?

Posted by guest on June 14, 2009 at 07:45 AM CEST #

Hi Mr.Craig,
It gives me brief introduction to LDAP, It will be great if u can provide more information about a opensource LDAP server.


Posted by Jineesh on August 11, 2009 at 05:45 AM CEST #

Thanks. I will find time to post more in this vein.

Concerning open source LDAP servers, I am partial to OpenDS, which is Java-based. Ludo, http://blogs.sun.com/ludo, published a number of entries recently following the release of OpenDS 2.0. You will also find quite a bit in terms of both user and developer documentation on the Wiki at https://www.opends.org/wiki.

Another popular open source LDAP server is OpenLDAP. OpenLDAP has been around for a long time, and is currently probably the default LDAP server on most Linux systems. For more, see http://www.openldap.org/.

Posted by Mark Craig on August 11, 2009 at 06:06 AM CEST #

its good explanation for ldap briefly,

Posted by guest on March 09, 2010 at 06:21 AM CET #

Nice article,

The only thing that not clear to me is the Objectclass attribute.
Can somebody provide me a better explaination?

Many thanks!

You also see some objectClass attribute values. The objectClass attribute tells you what other attribute types the entry can have. Object class definitions are found in directory schema. Schema specify all the known object classes and attribute types available for entries in the directory. You can add schema definitions to LDAP directories, making the LDAP entries easily extensible.

Posted by Justin on March 10, 2010 at 09:07 AM CET #

Justin, I wonder if the explanation of LDAP object classes at http://www.ldapman.org/articles/intro_to_ldap.html#customizing helps.

Posted by Mark Craig on March 11, 2010 at 08:16 AM CET #

Yeah, I agreed with Justin that the paragraph on object class is a little bit too "light". Fortunately, I've found another article at the following link which gave me a better and concrete explanation:

Look at "LDAP is object-oriented" section.

From that, I understood that not only "...what other attribute types the entry can have", but also "what other attribute types the entry \*MUST\* have". This is very important.

Posted by Seak T.F. on May 25, 2010 at 10:17 AM CEST #

Really very informative!!!

Posted by Abhishek Srivastava on June 23, 2010 at 07:02 AM CEST #

hi all,

i wanted to configure ldap on rhel5. can any one send the steps to do it .plz

Posted by amjath on July 06, 2010 at 09:08 AM CEST #

Amjath, it turns out that all the basic configuration steps for Oracle DSEE and for OpenDS for example are platform independent.

The cross-platform docs are available under http://docs.sun.com/app/docs/coll/1819.1 for the latest DSEE, and https://www.opends.org/wiki/page/OpenDSUserDocumentation for OpenDS.

Posted by Mark Craig on July 06, 2010 at 10:20 AM CEST #

There's one more platform independent LDAP server which is based on Java: Apache Directory Server (http://directory.apache.org/)

But for the time being, its doc for new user isn't very well done.

Posted by Seak T.F. on July 06, 2010 at 11:11 AM CEST #

thanks for your very clear and simple explanation

Posted by shantanu on July 19, 2010 at 11:37 PM CEST #

this is good artical

Posted by JEEVAN on July 23, 2010 at 11:55 AM CEST #


Posted by Allen Hu on August 11, 2010 at 01:43 AM CEST #

Great explanation and examples - especially helpful for beginners. It finally makes sense.

Posted by Shannon on October 26, 2010 at 09:44 AM CEST #

thanks for a nice and useful brief about ldap.

Posted by bharath on January 10, 2011 at 02:56 AM CET #

Post a Comment:
  • HTML Syntax: NOT allowed

Mark Craig writes about Directory Services products and technologies. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.


« April 2014