slapd's model for directory service is based on a global directory model called LDAP, which stands for the Lightweight Directory Access Protocol. LDAP is a directory service protocol that runs over TCP/IP. The details of LDAP are defined in RFC 1777, The Lightweight Directory Access Protocol. The current topic gives an overview of LDAP from a user's perspective.
It is worth noting that LDAP borrows much of its terminology from X.500, the OSI directory service. The relationship between LDAP and X.500 is discussed in ``LDAP and X.500''.
The LDAP directory service model is based on entries. An entry is a collection of attributes that has a name, called a distinguished name (DN). The DN is used to refer to the entry unambiguously. The most common sort of entry in a directory service is a ``person''. The entry will contain information such as name, address, telephone number, and other ``whitepages''-style categories.
Each of the entry's attributes has a type and one or more values. The types are typically mnemonic strings, like cn for common name, or mail for email address. The values depend on what type of attribute it is. For example, a mail attribute might contain the value ``liama@antbear.com''. A jpegPhoto attribute would contain a photograph in binary JPEG/JFIF format.
In LDAP, directory entries are arranged in a hierarchical tree-like structure that reflects political, geographic and/or organizational boundaries. Entries representing countries appear immediately below root. Below the countries are entries representing states or national organizations. Below those might be entries representing people, organizational units, printers, documents, or anything else you can think of.
An individual within an LDAP directory hierarchy might therefore be identified by the following sequence (country, state, organization and common name):
In addition, LDAP allows you to control which attributes are required and allowed in an entry through the use of a special attribute called objectclass. The values of the objectclass attribute determine the schema rules the entry must obey.
An entry is referenced by its distinguished name, which is constructed by taking the name of the entry itself (called the relative distinguished name, or RDN) and concatenating the names of its ancestor entries. For example, the entry for Liam Q. Antbear in the example, has an RDN of ``cn=Liam Q Antbear'' and a DN of ``cn=Liam Q Antbear, o=Antbear, Lucid & Popp''. The full DN format is described in RFC 1779, A String Representation of Distinguished Names.
LDAP defines operations for interrogating and updating the directory. Operations are provided for adding and deleting an entry from the directory, changing an existing entry, and changing the name of an entry. Most of the time, though, LDAP is used to search for information in the directory. The LDAP search operation allows some portion of the directory to be searched for entries that match some criteria specified by a search filter. Information can be requested from each entry that matches the criteria.
For example, you might want to search the entire directory subtree below Antbear, Lucid & Popp for people with the name Liam Q Antbear, retrieving the email address of each entry found. LDAP lets you do this easily. Or you might want to search the entries directly below the ``c=US'' entry for organizations with the string ``Acme'' in their name, and that have a fax number. LDAP lets you do this too. ``How does LDAP work?'' describes in more detail what you can do with LDAP and how it might be useful to you.
Some directory services provide no protection, allowing anyone to see the information. LDAP provides a method for a client to authenticate, or prove its identity to a directory server, paving the way for rich access control to protect the information the server contains.