TECFA's LDAP Pointers

LDAP is a client-server protocol for accessing a directory service. It was initially used as a front-end to X.500, but can also be used with stand-alone and other kinds of directory servers. So there are stand-alone LDAP servers or middle-ware software. LDAP has become the de facto access method for directory information, much the same as the Domain Name System (DNS) is used for IP address look-up

LDAP is a vendor-independent, open, network PROTOCOL standard and thus is as platform-independent as you can get. LDAP is supported by a lot of vendors (Netscape, Sun, Microsoft, Novell, IBM, ...)

Disclaimer: This page started on March 30, 1999. I am NO LDAP expert AT ALL ! I just got fed up with manually administering email lists of our few students.

LDAP at TECFA

At Tecfa LDAP has been used to:

create structured email directories of our students and ourselves:. Try http://tecfa.unige.ch/tecfa-people/ldap.html

At Tecfa LDAP is under investigation for:

User authentication in Internet applications and more generally "one single authentication/login per user for everything", something the university should actually provide for us :)

Documentation

Indexes for Documentation

RFCs can be found in several places, e.g. at http://www.umich.edu/~dirsvcs/ldap/doc/, at Critical Angle, at X.500 and LDAP: Raw Bibliography of Relevant RFCs, ..

Specifications

Some RFC's:

Lightweight Directory Access Protocol (RFC-1777)
LDAP URL Format (RFC-1959)
String Representation of LDAP Search Filters (RFC-1558)
Summary of the X.500(96) User Schema for use with LDAPv3 (rfc2256)

Other Stuff

The UniCode doc

FAQs

Programmer's Tutorials

The JNDI Tutorial Building directory-enabled Java applications by by Rosanna Lee (at Sun)

Articles

... randomly found and look at so far ...

Introduction to Directories and the Lightweight Directory Access Protocol (Jeff Hodges@Stanford). Good set of introductory slides
Why do I need a Directory when I could use a Relational Database? Powerpoint slides from a talk given at Stanford
An Internet Approach To Directories (Netscape specific, but has general value)
IBM's LDAP Redbook (PDF Format). EXCELLENT !
LDAP: The next-generation directory? SunWorld Article. Good overview, includes pointers to on-line specs

Most important indexes

LDAP Central. Good and large Index (has most major links)
Netscape's Directory Developer Centeral. Good ressource (with a lot of Netscape centered information of course, but more ...)
LDAP Quellen
Webopedia's LDAP Page
Innosoft's LDAP World (no longer fully maintained ?)
OpenLDAP
University of Michigan's Lightweight Directory Access Protocol
LDAP at Yahoo
Mark Wilcox's List o' Links on LDAP minimalistic presentation, but good stuff
LDAP Resources A short rated list from B. Foote

"Directory" Entries at Dmoz

Software

Clients

Netscape Communicator is LDAP aware. The ldap URLs work and its mail client can access LDAP servers. See also: Customizing LDAP Settings For Communicator 4.5. (Important information on how to edit/configure preferences.js).
Microsoft, Pine, Eudora are also LDAP aware (but we don't use these much)
LDAP Browser/Editor Java-based GUI
LDAP Web Exploter. (PHP) Under development, dead ?
IMAP webMail Program PHP scripts featuring IMAP, LDAP, MySQL (and others) and more ...
Xax500 ...
gq - The Gentleman's LDAP client Recent X Client (needs gtk installed). Works fine (but I did not figure out how to edit so far empty attributes)
Under development: Plums (Java/Swing)
Python cgi client (ldap-client-cgi.py)

LDAP Development Libraries

We played with the PHP Interface
From OpenLDAP were the libraries compiled into PHP (and they work with Netcape's Calendar Server)
Todo: hava a look at Mozilla's SDK (same as the Netscape ones)
(To do) Java SKs exist from Sun, Netscape, and others
To do: PerlDAP, See Examining PerLDAP Simplifying LDAP access, Dr. Dobbs Article by Troy Neeriemer

DIT, Entries, ObjectClasses, attributes, filters

LDAP Schema Viewer on-line tool from Linux Center(HK) Ltd.
Best doc I found: IBM's LDAP Redbook (PDF Format), in particular chapter 2 (2.2.2 and 2.2.3).

Entries

An entry is a collection of attributes that has a name, called a distinguished name (DN). The DN is used to refer to the entry unambiguously.
Each of the entry's attributes has a type and one or more values.
Entries can be typed with ObjectClasses, i.e. a schema that allows to define which attributes are required and which are optional.
Ususally X500 conventions for defining entries, classes, and attributes types are used (It's not mandatory, but recommended).

From IBM's LDAP Redbook, p.25 (PDF Format): entry-model

Object Classes

Standard Object Classes are taken from X.500, they include

    Alias 
    Country 
    Locality 
    Organization 
    Organizational Unit 
    Person

Distinguished Name

Each entry must have a Distinguished Name (DN). It's composed of the entry's relative distinguised name and all of the ancestors of the entry up to the root of the DIT (Directory Information Tree).

Example:

dn: uid=roiron,o=tecfa.unige.ch

Note: The relative dn is context dependent, e.g. uid for persons in the Netscape directory, cn for groupOfUniqueNames, etc.

Some common Attributes

From X500 (I believe), e.g. see Summary of the X.500(96) User Schema for use with LDAPv3 (rfc2256). Each attribute value must respect some defined syntax.

Note: If you have a Netscape Server installed clicking on Directory-Server->Schema in the Admin Server or checking the Directory Administration Manual (in particular Appendix B-Attributes and Appendix A (Object Classes)

  
  cn               CommonName (in principle: givenname + SN)
  co               Country (or sometimes c?)
  dc               DomainComponent
  description      Describes the Entry
  dn               DistinguishedName (Owner)
  drink            favorite drink of a Person
  employeeType
  fax              facsimileTelephoneNumber
  givenname        First Name
  homePhone
  homePostalAddress (each line must be separated with a $)
  keywords         keywords for the entry.
  l                Locality Name
  labeledURI       URL that is relevant in some way to the entry
  mail             Email
  mailAlternateAddress
  manager          dn of the entry's manager
  member           dn for each member of the group
  memberURL        URL associated with each member of a group
  mobile           entry's mobile or cellular phone number
  o                Organization Name
  organizationalStatus person's role in an organization
  ou               Organizational Unit Name
  personalTitle    like Mr.
  postalAddress    (each line must be separated with a $)
  roomNumber       room number of an object
  sa               Street Address
  secretary        entry's secretary or administrative assistant
  seeAlso          related information
  sn               SurName
  st               State or Province Name
  street           entry's house number and street name
  telephonenumber
  title            Job Title
  userClass        Specifies a category of computer user
  userpassword

Note: The Netscape Directory Server may contain a lot of entries for their groupware applications (Calendar).

Search Filters

Note that search can be performed on any subtree of the DIT. See for instance the LDAP URL examples below.

Syntax:

attribute OPERATOR value

Operators:

 =    equal
 >=   bigger than (including alphabetic)
 <=
 =*   all entries that have this attribute
 ~=   aprroximate match

 &    and, entries match ALL criteria
 |    or, one of entries must match
 !    not

Example:

(| (sn=roiron) (&ou=tecfa) (sn=muller))
.. returns all roiron + all muller that are members of tecfa

The LDIF Format

LDIF is the text format that can be used to export/import information from/into a directory server. Require are the dn and at least one object class definition. Order of attributes is not important. Examples:

A organization:

dn: o=tecfa.unige.ch
objectclass: top
objectclass: organization
o: tecfa.unige.ch

Organizational Unit:

dn: ou=tecfa,o=tecfa.unige.ch
objectclass: top
objectclass: organizationalUnit
ou: tecfa
description: TECFA

A person:

dn: uid=roiron,o=tecfa.unige.ch
userpassword: ....
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: nsCalUser
givenname: Cyril
sn: Roiron
cn: Cyril Roiron
uid: roiron
mail: roiron@fapse.unige.ch
title: Assistant
telephonenumber: 9696

Examples

LDAP URLs

See: LDAP URL Format (RFC-1959)

Filter Syntax (much simplified, see also RFC-1558):

ldap://SERVER/BASE_DN/?ATTRIBUTES?ITEMS?FILTER

SERVER     = ldap server URL
BASE_DN    = The Base DN
ATTRIBUTES = What attributes to return for found entries
ITEMS      = How many (of the same) attributes to return
FILTER     = Entries must have these attribute value pairs

Some LDAP queries printing WHOLE entries

ldap://tecfa2.unige.ch/o=tecfa.unige.ch??sub? ... most everything in our server
ldap://tecfa2.unige.ch/o=tecfa.unige.ch??sub?(sn=*) .. all things that have sn (Surnames)
ldap://tecfa2.unige.ch/o=tecfa.unige.ch??one?(sn=*) .. one of all things that have sn (Surnames)
ldap://tecfa2.unige.ch/o=tecfa.unige.ch??one?(objectClass=person)... Persons only
ldap://tecfa2.unige.ch/o=tecfa.unige.ch??one?(&(objectClass=person)(sn=s*)) (Almost) full entries for persons who's surname starts with "s"

Some queries printing MUCH less:

ldap://tecfa2.unige.ch/o=tecfa.unige.ch?mail?one?(objectClass=person) Prints entries (uid) + mail
ldap://tecfa2.unige.ch/o=tecfa.unige.ch?mail?one?(&(objectClass=person)(sn=s*)) Print Email for all persons who's surname starts with "s"

Restrict search to organizational units (mhh something I don't like here)

ldap://tecfa2.unige.ch/o=tecfa.unige.ch?cn,mail,labeledUri?sub?(ou=staf). Shows Common Name + Emails + labelled URLs of all the members of the "staf" Organizational Unit.
ldap://tecfa2.unige.ch/o=tecfa.unige.ch?cn,labeledUri,mail?sub?(&(studentCategory=staf)(studentpromotion=D)) These are custom entries attached to the tecfaPerson Class

PHP

php-ldap example dir at Tecfa See also the PHP Manual
LDAP Web Exploter. Under development ?

D.K.S.