What is LDAP?

http://spider4.spiderlink.com/cfdocs/Developing_Web_Applications_wit...

Developing Web Applications with ColdFusion Chapter 16 : Connecting to LDAP Directories

What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a protocol that enables organizations to arrange directory information in a hierarchy. Note that in this case, "directory" refers to a collection of information something like a telephone directory, not a collection of files in a folder on a disk drive. An LDAP directory is, in essence, a database, which is usually a hierarchical structure, (although this is not a requirement). It offers performance advantages over conventional databases, and its operations are familiar to database users. LDAP supports a flat, or one-level, structure as readily as multiple levels. The illustration below shows a simplified tree of entries from the root level to the individual level.

The complexity and flexibility allowed in this structure is a key to LDAP's success. A directory's structure abstracts the structure of the organization it represents. Properly devising and maintaining this structure is the LDAP server administrator's responsibility. The type, quantity, and accessibility of the information for individual entries will obviously vary widely across organizations and their LDAP servers.

LDAP attributes
Following is a list of the common attributes:

Common LDAP Attributes Attribute Name c st l o ou cn sn country state or province locality organization organizational unit common name surname

Key Terms
Following is a brief description of the LDAP information structure.

1 of 2

8/1/2011 5:41 PM

What is LDAP?

http://spider4.spiderlink.com/cfdocs/Developing_Web_Applications_wit...

Entry
The basic information object of LDAP is the entry. An entry is composed of attributes, each of which has a type defining what information can be contained in the attribute's values and what behaviors the attribute exhibits during processing. Entries are subject to content rules that specify its required and optional attributes. Content rules can be defined in the syntax or on the LDAP server.

Distinguished name
A naming convention for LDAP entries ensures compliance with the protocol regardless of the complexity of directory trees. LDAP name syntax begins at the entry level and specifies each level up to the root. In other words, it proceeds from the individual to the global. The Distinguished Name of an entry locates it in the directory tree. Each Distinguished Name (DN) is made up of Relative Distinguished Names (RDN) that contain one or more of the entry's attributes. As with file systems pathnames and URLs, entering the correct LDAP name format is essential to successful search operations.

Scope
Sets the limits of a search from the starting point of a query. The default is one level below the distinguished name specified in the Start attribute. If, for example, the Start attribute is "ou=support, o=allaire" the level below "support" is searched. You can optionally restrict a query to the level of the Start entry or extend it to the entire subtree.

Referral
While not supported directly in the LDAP2 standard, the ability of an LDAP server to refer a client query to another server is an attractive feature and has been implemented in the Netscape and University of Michigan servers. ColdFusion developers need to be aware of the possibilities for referrals when designing their query forms. You can pass the original login credentials to other servers that you may connect to when resolving a referral.

References
Extensions to the LDAP protocol are ongoing and it is widely supported in the Internet community. Additional material on LDAP is available from these sources: The LDAP specification was originally developed at the University of Michigan. Their site http://www.umich.edu/~dirsvcs /ldap/index.html contains a wealth of information and resources. The stated purpose of the Internet Engineering Task Force LDAP Extensions Working Group is to "...define and standardize extensions to the LDAP version 3 protocol and extensions to the use of LDAP on the Internet." Their site is at http://www.ietf.org/html.charters/ldapext-charter.html. The Directory Enabled Networks (DEN) specification, based on LDAP, is under development by a number of vendors, including Microsoft and Cisco Systems. You can follow the progress of this proposed standard at the DEN Ad Hoc Working Group site at http://murchiso.com/den/.

Copyright 1999, Allaire Corporation. All rights reserved.

2 of 2

8/1/2011 5:41 PM