3. Overview of LDAP

LDAP assumes the same information model and namespace as X.500. It is also client-server based, with one important difference: there are no referrals returned in LDAP. An LDAP server must return only results or errors to a client. If referrals are involved, the LDAP server is responsible for chasing them down. This model is depicted in Figure 2, though the intermediate server shown is not required (i.e., an implementation could choose to have its DSA speak "native" LDAP).

Figure 2. Relationship between LDAP and X.500

The LDAP client-server model includes an LDAP server translating LDAP requests into X.500 requests, chasing X.500 referrals, and returning results to the client.

The LDAP functional model is a subset of the X.500 model. LDAP supports the following operations: search, add, delete, modify, modify RDN, bind, unbind, and abandon. The search operation is similar to its DAP counterpart. A base object and scope are specified, determining which portion of the tree to search. A filter specifies the entries within the scope to select. The LDAP search filter offers the same functionality as the one in DAP but is encoded in a simpler form.

The time and size limit service controls are included directly in the search request. (They are not included with the other operations.) The searchAliases search control and dereferenceAliases service control are combined in a single derefAliases parameter in the LDAP search. The ASN.1 [11] definition of the LDAP search request is shown in Figure 3.

SearchRequest ::= [APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
baseObject (0),
singleLevel (1),
wholeSubtree (2)
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
alwaysDerefAliases (3)
sizeLimit INTEGER (0 .. MaxInt),
timeLimit INTEGER (0 .. MaxInt),
attrsOnly BOOLEAN,
filter Filter,
attributes SEQUENCE OF AttributeType
Filter ::= CHOICE {
and [0] SET OF Filter,
or [1] SET OF Filter,
not [2] Filter,
equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeType,
approxMatch [8] AttributeValueAssertion

Figure 3. ASN.1 for the LDAP search operation

The LDAP search operation offers similar functionality to DAP search. It combines search parameters and service controls and simplifies the filter encoding.

The LDAPDN and AttributeType components of the search are encoded as simple character strings using the formats defined in RFC 1779 [5] and RFC 1778 [2], respectively, rather than the highly structured encoding used by X.500. Similarly, the value in an AttributeValueAssertion is encoded as a primitive OCTETSTRING, not a more structured ASN.1 type. The structure is reflected in the syntax of the encoded string, not in the encoding itself.

The results of an LDAP search are sent back to the client one at a time, in separate searchEntry packets. This sequence of entries is terminated by a final searchResult packet that contains the result of the search (e.g., success, a size or time limit was exceeded, etc.). Having a final terminator packet allows clients and servers to stream results more easily, handling one entry at a time. This is especially useful in memory-constrained environments where holding the collection of all entries from a large search is not possible.

The X.500 list and read operations are not included in LDAP. Instead, they are emulated with the LDAP search operation. Read is emulated by a base object search of the entry to read, with a filter testing for the existence of the objectClass attribute. Every entry is required to have an object class and must match this filter. List is emulated by a one level search of the entry to list, also with a filter testing for the existence of the objectClass attribute. If the ability to distinguish alias children from other children (a feature provided by X.500 list) is desired, the objectClass attribute can be retrieved and examined for a value of alias.

The LDAP modify operation also differs slightly from its DAP counterpart. In DAP, four kinds of changes can be made: entire attributes can be added or deleted; individual values can be added or deleted. These capabilities require a client to read an entry before attempting a modify (e.g., when adding a value, to discover whether an add attribute or add value is required).

In LDAP, we simplified the semantics of modify by supporting three operations: add values; delete values; and replace values. If a request is made to add values to an attribute that does not exist in the entry, the attribute is created automatically. If a request is made to delete the last value of an attribute, the entire attribute is deleted. An attribute can also be deleted by specifying a delete values operation without specifying any values. Finally, the replace values construct is used to make an attribute contain the given values after the modify. The LDAP server takes care of translating the replace request into the necessary sequence of modify, add, and delete operations required by X.500.

The LDAP bind operation supports a subset of X.500 bind functionality. It allows only simple authentication, consisting of a clear-text password, and Kerberos version 4 authentication [6], which translates into an X.500 external authentication method. The LDAP bind operation includes a choice of credentials, allowing for future expansion of available authentication methods.

The DAP unbind, abandon, modify RDN, add and delete operations are virtually identical to their DAP counterparts.

[Contents] [Previous] [Next]