TECFA's LDAP Pointers

LDAP is a client-server protocol for accessing a directory service. It was initially used as a front-end to X.500, but can also be used with stand-alone and other kinds of directory servers. So there are stand-alone LDAP servers or middle-ware software. LDAP has become the de facto access method for directory information, much the same as the Domain Name System (DNS) is used for IP address look-up

LDAP is a vendor-independent, open, network PROTOCOL standard and thus is as platform-independent as you can get. LDAP is supported by a lot of vendors (Netscape, Sun, Microsoft, Novell, IBM, ...)

Disclaimer: This page started on March 30, 1999. I am NO LDAP expert AT ALL ! I just got fed up with manually administering email lists of our few students.


At Tecfa LDAP has been used to: At Tecfa LDAP is under investigation for:


Indexes for Documentation


Some RFC's: Other Stuff


Programmer's Tutorials


... randomly found and look at so far ...

Most important indexes



LDAP Development Libraries

DIT, Entries, ObjectClasses, attributes, filters


From IBM's LDAP Redbook, p.25 (PDF Format): entry-model

Object Classes

Standard Object Classes are taken from X.500, they include
    Organizational Unit 

Distinguished Name

Each entry must have a Distinguished Name (DN). It's composed of the entry's relative distinguised name and all of the ancestors of the entry up to the root of the DIT (Directory Information Tree).


dn: uid=roiron,o=tecfa.unige.ch
Note: The relative dn is context dependent, e.g. uid for persons in the Netscape directory, cn for groupOfUniqueNames, etc.

Some common Attributes

From X500 (I believe), e.g. see Summary of the X.500(96) User Schema for use with LDAPv3 (rfc2256). Each attribute value must respect some defined syntax.

Note: If you have a Netscape Server installed clicking on Directory-Server->Schema in the Admin Server or checking the Directory Administration Manual (in particular Appendix B-Attributes and Appendix A (Object Classes)

  cn               CommonName (in principle: givenname + SN)
  co               Country (or sometimes c?)
  dc               DomainComponent
  description      Describes the Entry
  dn               DistinguishedName (Owner)
  drink            favorite drink of a Person
  fax              facsimileTelephoneNumber
  givenname        First Name
  homePostalAddress (each line must be separated with a $)
  keywords         keywords for the entry.
  l                Locality Name
  labeledURI       URL that is relevant in some way to the entry
  mail             Email
  manager          dn of the entry's manager
  member           dn for each member of the group
  memberURL        URL associated with each member of a group
  mobile           entry's mobile or cellular phone number
  o                Organization Name
  organizationalStatus person's role in an organization
  ou               Organizational Unit Name
  personalTitle    like Mr.
  postalAddress    (each line must be separated with a $)
  roomNumber       room number of an object
  sa               Street Address
  secretary        entry's secretary or administrative assistant
  seeAlso          related information
  sn               SurName
  st               State or Province Name
  street           entry's house number and street name
  title            Job Title
  userClass        Specifies a category of computer user

Note: The Netscape Directory Server may contain a lot of entries for their groupware applications (Calendar).

Search Filters

Note that search can be performed on any subtree of the DIT. See for instance the LDAP URL examples below.


attribute OPERATOR value
 =    equal
 >=   bigger than (including alphabetic)
 =*   all entries that have this attribute
 ~=   aprroximate match

 &    and, entries match ALL criteria
 |    or, one of entries must match
 !    not
(| (sn=roiron) (&ou=tecfa) (sn=muller))
.. returns all roiron + all muller that are members of tecfa

The LDIF Format

LDIF is the text format that can be used to export/import information from/into a directory server. Require are the dn and at least one object class definition. Order of attributes is not important. Examples:

A organization:

dn: o=tecfa.unige.ch
objectclass: top
objectclass: organization
o: tecfa.unige.ch

Organizational Unit:

dn: ou=tecfa,o=tecfa.unige.ch
objectclass: top
objectclass: organizationalUnit
ou: tecfa
description: TECFA

A person:

dn: uid=roiron,o=tecfa.unige.ch
userpassword: ....
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: nsCalUser
givenname: Cyril
sn: Roiron
cn: Cyril Roiron
uid: roiron
mail: roiron@fapse.unige.ch
title: Assistant
telephonenumber: 9696



See: LDAP URL Format (RFC-1959)

Filter Syntax (much simplified, see also RFC-1558):


SERVER     = ldap server URL
BASE_DN    = The Base DN
ATTRIBUTES = What attributes to return for found entries
ITEMS      = How many (of the same) attributes to return
FILTER     = Entries must have these attribute value pairs

Some LDAP queries printing WHOLE entries

Some queries printing MUCH less: Restrict search to organizational units (mhh something I don't like here)