An LDAP Roadmap & FAQ

A tutorial aid to navigating various LDAP and X.500 resources on the Internet

Jeff Hodges
Computing and Communication Services
Stanford University

Selected by PC

Last updated: 30-Oct-97

Version 1.0

Overall Contents:


So, for some reason or another you have to figure out more about this stuff variously called X.500, LDAP, "the Directory", the "White Pages Project", etc.....and you're very confused and can't figure out where to start, which documents are relevant to what aspects of this crazy stuff, which ones to read first, which ones provide an overview, where to get what software or anything else. Well, I've been there and done that and thought that I'd put together a kind of road map and high-level FAQ (Frequently Asked Questions) that points off to other Web sites and various docs and kinda provide a helping hand to getting started with this complex, but way-cool, Directory stuff.


X.500 is an overall model for Directory Services in the OSI world. The model encompasses the overall namespace and the protocol for querying and updating it. The protocol is known as "DAP" (Directory Access Protocol). DAP runs over the OSI network protocol stack -- that, combined with its very rich data model and operation set makes it quite "heavyweight". It is rather tough to implement a full-blown DAP client and have it "fit" on smaller computer systems. Thus, the folks at University of Michigan, with help from the ISODE Consortium, designed and developed...

LDAP, or "Lightweight Directory Access Protocol". LDAP is, like X.500, both an information model and a protocol for querying and manipulating it. LDAP's overall data and namesapce model is essentially that of X.500. The major difference is that the LDAP protocol itself is designed to run directly over the TCP/IP stack, and it lacks some of the more esoteric DAP protocol functions.

A major part of X.500 is that it defines a global directory structure. It is essentially a directory web in much the same way that http & html are used to define & implement the gobal hypertext web. Anyone with an X.500 or LDAP client may peruse the global directory just as they can use a web browser to peruse the global Web. Additionally, with the help of web<->X.500 gateways, you can use your favorite web browser to peruse both!

The LDAP Frequently Asked Questions (FAQ) List

The Roadmap

The following is an annotated list of pointers to information sources. Start at the begining if you're an X.500/LDAP/Directory newbie. Else, peruse the list and start whereever seems appropriate. Happy hunting...

Additionally, below's the slides from a talk I've written. It provides an introduction to LDAP, discusses organization and content, and presents directory deployment considerations...

  • "Introduction to Directories and LDAP", Jeff Hodges, June 1997.

    The Attendant Fine Print:

    This document doesnot purport to be the last, best, or most recent word on LDAP or developments in the directory community. THIS DOCUMENT IS UPDATED AND OTHERWISE MAINTAINED ON A BEST-EFFORTS BASIS. This information is provided AS IS, with no guaranties at all. It is the readers' responsibility to keep themselves up-to-date and aware of developments by whatever means they have available. I trust the pointers and info here help in that effort.

    Please be sure to peruse the pages pointed to in the last three (3) items above for information that is likely more current, in terms of recent developments, than that here. Thanks.

    The Basics: An Introduction to LDAP and X.500

    Start here if you're just beginning...

    These are basic introductory documents to directory services in general, and X.500 and LDAP in particular. I've arranged them to be read nominally in this order -- but that's entirely up to the reader. There's a fair amount of overlap in the overview docs, fyi....

  • "Introduction to Directories and LDAP", Jeff Hodges, June 1997. The "Introduction" sections are relevant for those just beginning (duh!).

  • "The Lightweight Directory Access Protocol: X.500 Lite", Timothy A. Howes, July 27, 1995, CITI Technical Report 95-8

    This paper gives a good overview of the X.500 model, and then describes the LDAP model and rationale in detail.

  • "Understanding X.500 - The Directory", David Chadwick, University of Salvord, UK. International Thomson Computer Press edition 1996 ISBN 185 0332 813.
  • rfc1308 J. Reynolds, C. Weider, "Executive Introduction to Directory Services Using the X.500 Protocol", 03/12/1992. (Pages=4) (Format=.txt) (FYI 13)

    This RFC gives a good, concise overview of the X.500 model.

  • rfc1309 S. Heker, J. Reynolds, C. Weider, "Technical Overview of Directory Services Using the X.500 Protocol", 03/12/1992. (Pages=16) (Format=.txt) (FYI 14)

    This RFC builds upon the one above to provide a more detailed technical introduction to how X.500-based directory services work.

  • rfc1684 P. Jurg, "Introduction to White Pages services based on X.500", 08/11/1994. (Pages=10) (Format=.txt)

    This RFC provides an overview of both X.500 basics, plus how X.500-based Directory services globally work in a broad sense.

  • rfc1777 W. Yeong, T. Howes, S. Kille, "Lightweight Directory Access Protocol", 03/28/1995. (Pages=22) (Format=.txt) (Obsoletes RFC1487)

    This RFC is an Internet "Draft Standard". It is the technical counterpart to the "Lightweight Directory Access Protocl: X.500 Lite" paper referenced above, and denotes version 2 of the LDAP protocol (LDAPv2). The Applications area director has stated that LDAPv2 will not progress to "full standard" because of various perceived dificiencies. Thus the IETF's Access and Sychronization of Internet Directories working group is working on LDAPv3. See the section about the IETF working groups, below.

  • rfc1823 T. Howes & M. Smith, "The LDAP Application Program Interface", August 1995. (Format: TXT=41081 bytes)

    This RFC documents the API that LDAP clients utilize to interact with the Directory. This API is implemented in "libldap.a", the code to which is available at the UMich LDAP/X.500 client, server, and general resource repository

  • rfc1960 T. Howes, "A String Representation of LDAP Search Filters", June 1996. (Format: TXT=5288 bytes) (Obsoletes RFC1558)

    This RFC is defines exactly what its title sez it defines. See RFC 1823 shows how search filters are used by the LDAP API.

  • "LDAP: Programming Directory-Enabled Applications with Lightweight Directory Access Protocol", T. Howes & M. Smith, Macmillan Technical Publishing, 1997, ISBN 1-57870-000-0.

    This is The Book for folks who want to do exactly what its title says. In quality bookstores near you.

  • Behind the Basics: Schema, Attributes, and Directory Organization

    Look here if you understand the basics and are wondering about stuff such as attributes, their syntaxes, object classes, etc.

    These documents discuss Directory attributes and their syntaxes. You need to read this stuff if you're setting up your directory and mapping your organization's information into the it and/or if you're creating new attributes.


  • rfc1274 P. Barker, S. Kille, "The COSINE and Internet X.500 Schema", 11/27/1991. (Pages=60) (Format=.txt)

  • rfc1779, A String Representation of Distinguished Names. S. Kille. March 1995. (Format: TXT=12429 bytes) (Obsoletes RFC1485)

    The above defines a small set of "short" attribute names, although it doesn't define the full set as is commonly in present use within the LDAP community. Clearly defining those is a topic of future work in the IETF directory-oriented working groups.

  • rfc2079, Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs). M. Smith. January 1997. (Format: TXT=8757 bytes)

  • Preparing Data for Inclusion in an X.500 Directory, Paul Barker, Department of Computer Science, University Colleage London, May 1992

    The above item is a good overview of the subject matter, though with a Quipu orientation. Quipu is an (old) X.500 server implementation from ISODE, Ltd.

  • rfc1279 S. Kille, "X.500 and Domains", 11/27/1991. (Pages=13) (Format=.txt, .ps)

  • rfc1778 T. Howes, S. Kille, W. Yeong, C. Robbins, "The String Representation of Standard Attribute Syntaxes", 03/28/1995. (Pages=12) (Format=.txt) (Obsoletes RFC1488)

  • rfc1617 P. Barker, S. Kille & T. Lenggenhager, "Naming and Structuring Guidelines for X.500 Directory Pilots". May 1994. (Format: TXT=56739 bytes) (Obsoletes RFC1384)

    This RFC discusses how to organize one's directory. It applies to standalone LDAP-based directories as well as X.500-based ones.

  • Once you have a directory with information in it, you need to be able to search for information. One uses "filters" to specify one's searches. The RFC below specifies LDAPv2 search filters..

    The documents below discuss the details of how information in the LDAP protocol is actually encoded. Note that UTF-8 isn't actually used yet (I believe), but is being discussed in terms of being specified in the LDAP V3 Internet-Draft. See the section on IETF directory service work , below, for info about what's going on in the various IETF directory-services-oriented working groups.

  • "A Layman's Guide to a Subset of ASN.1, BER, and DER"

  • "UCS Transformation Format 8 (UTF-8)"

  • Beyond the Basics: Directory Services for the Internet at Large

    Start here if you already know the basics and are wondering about underlying details or about what all can be built with them...

  • "Introduction to Directories and LDAP", Jeff Hodges, June 1997. The section on Deployment Considerations and the Summary are relevant here.

  • The Near Future: Current IETF work on LDAPv3 and X.500(93) and Related Topics...

    There is a fair amount of work going on currently in the IETF on directory services in general, and X.500/LDAP in particular. Most of this work is occuring within the Applications area of the IETF.

    Do note, though, that the IETF doesn't "work on" X.500 directly. That is the domain of the International Telecommunications Union (ITU). The IETF's work in regards to X.500(93) (and future X.500 versions) is or will be in terms of...

  • what X.500 features are appropriate to include in LDAP, given that LDAP can be utilized either stand-alone or as an X.500 frontend?
  • Thus said, the three relevant working groups within the Applications Area are...

  • Access, Searching and Indexing of Directories (asid)
  • Common Indexing Protocol (find)
  • Integrated Directory Services (ids)
  • There is much current work going on in the ASID working group on the next version (i.e. V3) of LDAP (be sure to see this section below for links to additional LDAP info, including an LDAPv3 info repository), also an "application/directory" content type for MIME, URL syntax for LDAP, an objectclass and attribute to hold URIs, "dynamic directory" usage for LDAP-based directories, etc.

    The best way to understand and follow the direction of current developments and get up-to-speed on it is to read the Internet Drafts. See the ASID web page for the current list of applicable internet drafts including the LDAPv3 ones (look towards the bottom of that page).

    If you want to know about existing standards, refer to the above sections of this page, and/or visit an RFC repository.

    The IDS working group is working on an "Internet White Pages Schema" for a generic "person". They are also working on guidelines for deploying and running an Internet white pages service, privacy issues, and other topics oriented towards actually using and building stuff on top of a directory infrastructure. See the IDS page for their precise charter and a list of applicable IDs (Internet Drafts).

    The FIND group is working on a "common indexing protocol" which would help to ease the cost of high-level searches (and other stuff). An example of a high level search is "please find Joe User whom I believe works in some public job in the state of colorado". This work is intended to be independent of any particular directory access protocol -- specifically to be useful to LDAP, Whois++, and CCSO. See the FIND page for relevant info.

    Note that there is a large intersection between the work of these three groups. For example, people deploying LDAP-based directories (perhaps for some enterprise, say) might desire to use the gneric white-pages schema for their people entries, and also support the common indexing protocol in whatever appropriate fashion such that their entries can be appropriately found in high-level searches.

    Raw bibliography of X.500 and LDAP RFCs

    This page simply lists just what it sez, but it also has links to the RFC and Internet-Draft repository at Information Sciences Institute (ISI).

    Implementation Repositories, Extant Directory Infrastructures, and other Resources

    These are places to pick up both more detailed info and actual implementations...

    Here's pointers to other pages about LDAP in particular. Given that you are reading this page, you should also take the time to peruse these other pages -- I don't claim that this page has the last word on LDAP developments...

    Here's pointers to other Web pages about X.500 itself. Some of these, like Nexor's pages, are general info sources about the X.500/LDAP-based directory(ies). Other's, like SURFnet's and UMich's, are documents relating to their particular Directory infrastructure and are quite interesting as examples of how Internet-wide directory participants can package & deliver their product both to their users and to the Internet at large...

    Here's pointers to various organization's directories, and to pages with info about their directory projects (but be sure to peruse some of the links above too, such as the ISODE Consortium and Nexor)...

    Currency of Information and Links in this Document:

    Please email me if you find any issues with links and/or the content of this document. Thanks.

    This page is revised from time-to-time -- as are many documents, software, and race cars.


  • Ros Halevi and Jing-Chyi Chao html-ized Tim Howes' LDAP paper.
  • Thanks to Tim Howes, Mark Smith, Gordon Good, Mark Wahl, and Steve Kille, Chris Apple, Chris Weider, Paul Hoffman, and a host of others for answering (and continuing to answer) my many questions.
  • Additional credits...

    You're visitor number "one of many" since 2 May 1996