Lightweight Directory Access Protocol (LDAP) for reading and editing directories over an IP network
The Lightweight Directory Access Protocol is an application protocol for reading and editing directories that follow the Directory Information Model over an IP network using unsecured TCP/IP, TLS or SSL. LDAP is a binary protocol described in terms of ASN.1 and transmitted using ASN.1 Basic Encoding Rules (BER).
A directory is a hierarchical collection of records known as a Directory Information Base, or when visualized, as a Directory Information Tree. The directory model should be visualized as an upside-down tree, much like a UNIX file-system. The root of the Directory Information Tree is known as the prefix
or namingContext
. The namingContext, supported versions of the protocol, supported features and supported controls (operation semantics modifiers) and other information can be discovered by querying the root DSE, though the information might be protected by access controls.
Clients (Directory User Agents) issue requests to the directory server (Directory System Agent) and the directory server returns an appropriate response, which could be success (which might include requested entries from the Directory Information Tree in the case of a search), or an indication of success or failure of a search, add, modify, delete, moddn (rename) or extended operation. Controls might be used to alter the semantics of a request, for example, a sort control
might be included with a search request to sort the returned entries (known as a server-side sort). Without the inclusion of the sort control in the search request, entries returned from search operations are not ordered, and must not be ordered. Clients must not expect that entries are ordered in any way.
Modern directory servers support a high-speed replication mechanism which is not defined by the standard, though there have been some attempts at defining a replication standard. Therefore, replication and the protocol used for replication is vendor-specific. If data must be synchronized between directory servers from different vendors, a synchronization device must be used.
Most modern programming languages have an LDAP SDK, including Java, PHP, Perl, C/C++, and others. Directory Server software usually comes equipped with a set of command line tools such as ldapsearch
, ldapmodify
, and others.
Directory Information Trees accessed by the LDAP protocol are used in authentication and authorization applications, configuration storage, profile storage, public-key infrastructure and other applications requiring:
- speed of access
- a small, light-weight protocol
- A simple programming model
- easily configured replication, redundancy, and failover
Questions that are specific to Active Directory should not be tagged with the LDAP tag unless the question is specifically related to the protocol or the Directory Information Model. Active Directory provides an LDAP interface, but that interface does not fully implement the LDAP standard, and deviates from it in important ways. Therefore, there are questions that can be answered specific to Active Directory that are not applicable to standards-compliant LDAP servers and vice versa. Correctly tagging a questions will result in a higher probability of an accurate, timely response.