An LDAP Roadmap & FAQ

A tutorial aid to navigating various LDAP and X.500 Directory Services resources on the Internet


Jeff Hodges  
Principal, Kings Mountain Systems

Formerly: Senior Technical Staff, 
Directory Services and Public Key Infrastructure, 
Computing and Communication Services
Stanford University

 

Selected by PC                                                                                          Webopaedia
 

Latest bug fix applied: 11-Oct-2004; Last major revision/update: sometime in 1999; LDAP Roadmap & FAQ established in 1997;
Version 1.7 

Overall Contents:

Background So, for some reason or another you have to figure out more about this stuff variously called X.500, LDAP, "the Directory", the "White Pages Project", etc.....and you're very confused and can't figure out where to start, which documents are relevant to what aspects of this crazy stuff, which ones to read first, which ones provide an overview, where to get what software or anything else. Well, I've been there and done that and thought that I'd put together a kind of road map and high-level FAQ (Frequently Asked Questions) that points off to other Web sites and various docs and kinda provide a helping hand to getting started with this complex, but way-cool, Directory stuff.

Introduction

X.500 is an overall model for Directory Services in the OSI world. The model encompasses the overall namespace and the protocol for querying and updating it. The protocol is known as "DAP" (Directory Access Protocol). DAP runs over the OSI network protocol stack -- that, combined with its very rich data model and operation set makes it quite "heavyweight". It is rather tough to implement a full-blown DAP client and have it "fit" on smaller computer systems. Thus, the folks at University of Michigan, with help from the ISODE Consortium, designed and developed...

LDAP, or "Lightweight Directory Access Protocol". LDAP is, like X.500, both an information model and a protocol for querying and manipulating it. LDAP's overall data and namesapce model is essentially that of X.500. The major difference is that the LDAP protocol itself is designed to run directly over the TCP/IP stack, and it lacks some of the more esoteric DAP protocol functions.

A major part of X.500 is that it defines a global directory structure. It is essentially a directory web in much the same way that http & html are used to define & implement the gobal hypertext web. Anyone with an X.500 or LDAP client may peruse the global directory just as they can use a web browser to peruse the global Web. Additionally, with the help of web<->X.500 gateways, you can use your favorite web browser to peruse both!


Note: Please help me out and let me know if you find any stale links on this page. Thanks, JeffH
[I've been way busy working at a startup for a couple of years and am WAY behind on fixing links on these page. SORRY. Thanks to everyone who has pointed out bugs herein. Please keep it up and I'll be trying to get the links fixed.]


New 2nd edition of Understanding and Deploying LDAP Directory Services, is available! Clicking on this link (or the former one) and purchasing it (and any other stuff) will help support this site. [12-May-2003]


An LDAP Frequently Asked Questions (FAQ) List


The Roadmap

Overall note: Version 2.0a of these pages is available for "beta" (mebbe "alpha" is really more appropriate, but what-the-heck) HERE

The following is an annotated list of pointers to information sources. Start at the begining if you're an X.500/LDAP/Directory newbie. Else, peruse the list and start whereever seems appropriate. Happy hunting...

Additionally, below's the slides from a talk I've written. It provides an introduction to LDAP, discusses organization and content, and presents directory deployment considerations...
  • "Introduction to Directories and LDAP", Jeff Hodges, June 1997.
  • The Attendant Fine Print:
    This document doesnot purport to be the last, best, or most recent word on LDAP or developments in the directory community. THIS DOCUMENT IS UPDATED AND OTHERWISE MAINTAINED ON A BEST-EFFORTS BASIS. This information is provided AS IS, with no guaranties at all. It is the readers' responsibility to keep themselves up-to-date and aware of developments by whatever means they have available. I trust the pointers and info here help in that effort.

    Please be sure to peruse the pages pointed to in the last three (3) items above for information that is likely more current, in terms of recent developments, than that here. Thanks.


    The Basics: An Introduction to LDAP and X.500

    Start here if you're just beginning...

    These are basic introductory documents to directory services in general, and X.500 and LDAP in particular. I've arranged them to be read nominally in this order -- but that's entirely up to the reader. There's a fair amount of overlap in the overview docs, fyi....

  • "Introduction to Directories and LDAP", Jeff Hodges, June 1997. The "Introduction" sections are relevant for those just beginning (duh!).
  • "Understanding and Deploying LDAP Directory Services", by Tim Howes, Mark Smith, and Gordon Good. MacMillan Techincal Publications, ISBN: 1578700701.

    This book covers the gamut of issues involved in deploying an LDAP-based directory service. Its presentation is vendor-independent. It should be considered a companion volume to <this one>.
  • "The Lightweight Directory Access Protocol: X.500 Lite", Timothy A. Howes, July 27, 1995, CITI Technical Report 95-8

    This paper gives a good overview of the X.500 model, and then describes the LDAP model and rationale in detail. Realize that it is nominally discussing LDAPv2.
     
  • "Understanding LDAP", IBM Redbook.

  • "Understanding X.500 - The Directory", David Chadwick, University of Salvord, UK. International Thomson Computer Press edition 1996 ISBN 185 0332 813.

    This book is now out-of-print, but David has an online version of it at the site pointed to above.
  • rfc1308 J. Reynolds, C. Weider, "Executive Introduction to Directory Services Using the X.500 Protocol", 03/12/1992. (Pages=4) (Format=.txt) (FYI 13)
  • This RFC gives a good, concise overview of the X.500 model.
     
  • rfc1309 S. Heker, J. Reynolds, C. Weider, "Technical Overview of Directory Services Using the X.500 Protocol", 03/12/1992. (Pages=16) (Format=.txt) (FYI 14)

    This RFC builds upon the one above to provide a more detailed technical introduction to how X.500-based directory services work.
     
  • rfc1684 P. Jurg, "Introduction to White Pages services based on X.500", 08/11/1994. (Pages=10) (Format=.txt)

    This RFC provides an overview of both X.500 basics, plus how X.500-based Directory services globally work in a broad sense.
     
  • rfc1777 W. Yeong, T. Howes, S. Kille, "Lightweight Directory Access Protocol", 03/28/1995. (Pages=22) (Format=.txt) (Obsoletes RFC1487)

    This RFC is an Internet "Draft Standard". It is the technical counterpart to the "Lightweight Directory Access Protocl: X.500 Lite" paper referenced above, and denotes version 2 of the LDAP protocol (LDAPv2). The Applications area director has stated that LDAPv2 will not progress to "full standard" because of various perceived dificiencies. Thus the IETF's Access and Sychronization of Internet Directories working group is working on LDAPv3. See the section about the IETF working groups, below.
     
  • rfc1823 T. Howes & M. Smith, "The LDAP Application Program Interface", August 1995. (Format: TXT=41081 bytes)

    This RFC documents the API that LDAP clients utilize to interact with the Directory. This API is implemented in "libldap.a", the code to which is available at the UMich LDAP/X.500 client, server, and general resource repository.
     
  • rfc1960 T. Howes, "A String Representation of LDAP Search Filters", June 1996. (Format: TXT=5288 bytes) (Obsoletes RFC1558)

    This RFC is defines exactly what its title sez it defines. See RFC 1823 shows how search filters are used by the LDAP API.
     
  • "LDAP: Programming Directory-Enabled Applications with Lightweight Directory Access Protocol", T. Howes & M. Smith, Macmillan Technical Publishing, 1997, ISBN 1-57870-000-0.

    This is The Book for folks who want to do exactly what its title says. In quality bookstores near you.

  • Behind the Basics: Schema, Attributes, and Directory Organization

    Look here if you understand the basics and are wondering about stuff such as attributes, their syntaxes, object classes, etc.

    These documents discuss Directory attributes and their syntaxes. You need to read this stuff if you're setting up your directory and mapping your organization's information into the it and/or if you're creating new attributes.

    Once you have a directory with information in it, you need to be able to search for information. One uses "filters" to specify one's searches. The RFC below specifies LDAPv2 search filters.. The documents below discuss the details of how information in the LDAP protocol is actually encoded. Note that UTF-8 isn't actually used yet (I believe), but is being discussed in terms of being specified in the LDAP V3 Internet-Draft. See the section on IETF directory service work , below, for info about what's going on in the various IETF directory-services-oriented working groups.
  • "A Layman's Guide to a Subset of ASN.1, BER, and DER"
  • rfc2279, UTF-8, a transformation format of ISO 10646. F. Yergeau. January 1998. (Format: TXT=21634 bytes) (Obsoletes RFC2044) (Status: DRAFT STANDARD)

  • Beyond the Basics: Directory Services for the Internet at Large

    Start here if you already know the basics and are wondering about underlying details or about what all can be built with them...
  • "Introduction to Directories and LDAP", Jeff Hodges, June 1997. The section on Deployment Considerations and the Summary are relevant here.

  • The Near Future: Current IETF work on LDAPv3 and Related Topics...

    LDAPv3 was annointed Proposed Standard status by the IESG (Internet Engineering Steering Group) in early December '97.

    See: Current State of the LDAP Protocol Specifications (LDAPv3, LDAPv2)

    There is a fair amount of work going on currently in the IETF on directory services in general, and X.500/LDAP in particular. Most of this work is occuring within the Applications area of the IETF.

    The IETF doesn't "work on" X.500. That is the domain of the International Telecommunications Union (ITU).


    Raw bibliography of X.500 and LDAP RFCs

    This page simply lists just what it sez, but it also has links to the RFC and Internet-Draft repository at Information Sciences Institute (ISI).


    Implementation Repositories, Extant Directory Infrastructures, and other Resources

    These are places to pick up both more detailed info and actual implementations... Here's pointers to other pages about LDAP and LDAP implementations in particular. Given that you are reading this page, you should also take the time to peruse these other pages -- I don't claim that this page has the last word on LDAP developments... Here's pointers to other Web pages about X.500 itself. Some of these, like Nexor's pages, are general info sources about the X.500/LDAP-based directory(ies). Other's, like SURFnet's and UMich's, are documents relating to their particular Directory infrastructure and are quite interesting as examples of how Internet-wide directory participants can package & deliver their product both to their users and to the Internet at large... Here's pointers to various organization's directories, and to pages with info about their directory projects (but be sure to peruse some of the links above too, such as the ISODE Consortium and Nexor)...

    Current State of the LDAP Protocol Standards (LDAPv3, LDAPv2)


    Currency of Information and Links in this Document:

    Please email me if you find any issues with links and/or the content of this document. Thanks.

    This page is revised from time-to-time -- as are many documents, software, and race cars.

    Credits:

  • Ros Halevi and Jing-Chyi Chao html-ized Tim Howes' LDAP paper.
  • Thanks to Tim Howes, Mark Smith, Gordon Good, Mark Wahl, and Steve Kille, Chris Apple, Chris Weider, Paul Hoffman, and a host of others for answering (and continuing to answer) my many questions.
  • Additional credits...

    You've caused hit number "one of > 300,000" since 2 May 1996