▷ Ldap: what it is and what this protocol is used for

The LDAP protocol is widely used today by companies that bet on free software by using Linux distributions to exercise the functions of an active directory in which the credentials and permissions of workers and workstations in corporate LAN networks will be managed in client / server connections.

Index of contents

In this article we will see as fully as possible what this protocol and corresponding tool consists of, along with the structure and terms most used in it.

What is LDAP?

LDAP is short for Lightweight Directory Access Protocol). It is a set of open license protocols that are used to access the information that is stored centrally in a network. This protocol is used at the application level to access remote directory services.

A remote directory is a set of objects that are hierarchically organized, such as names, addresses, etc. These objects will be made available by a series of clients connected through a network, usually internal or LAN, and will provide the identities and permissions for those users who use them.

LDAP is based on the X.500 protocol for directory sharing, and it contains this information in a hierarchical and categorized way to provide us with an intuitive structure from the point of view of management by administrators. It is, so to speak, a phone book, but with more attributes and credentials. In this case we use the term directory to refer to the organization of these objects.

In general, these directories are basically used to contain virtual user information, so that other users access and have information about the contacts that are stored here. But it is much more than this, since it is able to remotely communicate with other LDAP directories located on servers that may be on the other side of the world to access the available information. In this way, a decentralized and fully accessible information database is created.

The current version is called LDAPv3 and is defined in a publicly accessible RFC 4511 documentation sheet.

LDAP operation

LDAP is a protocol based on the connection between client and server. The data related to the directory will be stored in the LDAP server, which will be able to use a wide variety of databases for this storage, becoming very large.

Access and administration operation is very similar to Windows Active Directory. When the LDAP client connects to the server, you can perform two basic actions, either query and obtain directory information, or modify it.

• If a client consults the information, the LDAP server can connect it directly if they have a directory hosted in it, or redirect the request to another server that actually has this information. This may be local, or remote. If a client wants to modify the directory information, the server will check if the user who is accessing this directory has administrator permissions or not. Then, the information and management of an LDAP directory can be done remotely.

The connection port for the LDAP protocol is TCP 389, although, of course, it can be modified by the user and set it to the one he wishes if he indicates it to the server.

How information is stored in LDAP

In an LDAP directory we can store basically the same information as in a Windows Active Directory. The system is based on the following structure:

• Entries, called objects in Active Directory. These entries are collections of attributes with a Distinguished Name (DN) This name is used to give a unique and unrepeatable identifier to a directory entry. An entry can be the name of an organization and attributes will hang from it. Also a person can be an entry. Attributes: which have an identifier type and the corresponding values. The types are used to identify the names of attributes, for example "mail", "name", "jpegPhoto", etc. Some of the attributes that belong to an entry must be mandatory and others optional. LDIF: The LDAP Data Interchange Format is the ASCII text representation of LDAP entries. This should be the format of the files used to import information into an LDAP directory. When a blank line is written, it means the end of an entry.

dn: :::

Trees: It is the hierarchical organization of entries. For example, in a tree structure we can find a country at the top and as the main one, and within this we will have the different states that make up the country. Within each state we will be able to list the districts, citizens and addresses of where they live, and so on.

If we applied this to the Internet and computing, we could organize an LDAP directory by means of a domain name that would do the tree functions and from it would hang the different departments or organizational units of a company, employees, etc. And it is precisely in this way that directories are currently formed, thanks to the use of a DNS service, we can associate an IP address with an LDAP directory to be able to access it through the domain name.

How information is accessed in LDAP

An example entry for an LDAP directory might be:

dn: cn = Jose Castillo, dc = profesionalreview, dc = com cn: Jose Castillo givenName: Jose sn: Castillo telephoneNumber: +34 666 666 666 mail: [email protected] objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top

• dn (domain name): entry name, but not part of the entry itself. dc: domain component to identify the parts of the domain where the LDAP directory is stored. cn (common name): attribute name to identify the user name, for example sn (surname): last name of the user telephoneNombre, mail…: identify name for the attribute telephone and email. objectClass: different inputs to define the properties of the attributes

An LDAP server, in addition to storing a tree, can contain subtrees that include entries specific to the primary domain. Also, you can store references to other directory servers to divide the content if necessary.

Structure of an access URL in LDAP

When making remote connections to an LDAP server, we will need the use of URL addresses to obtain information from it. The basic structure

ldap: // server: port / DN? attributes? scope? filters? extensions

• server or host: it is the IP address or domain name of the LDAP server port: the server connection port, by default it will be 389 DN: distinguished name to use in the search Attributes: it is a list of fields to return separated by commas Scope or scope: is the scope of the search Filters: to filter the search according to the identifier of the object, for example. Extensions: will be the character strings extensions of the URL in LDAP.

For example:

ldap: //ldap.profesionalreview.com/cn=Jose%20Castillo, dc=profesionalreview, cd=com

We are looking for all the users in Jose Castillo's entry at profesionalreview.com.

In addition to this notation, we will also have a version of LADP with SSL security certificate, whose identifier for the URL will be "ldaps:".

Most important tools that use the LDAP protocol

There are currently various tools that use this protocol for client-server communication of a directory service. Most importantly, even Windows Active Directory uses this communication protocol.

• OpenLDAP: is the free implementation of the LDAP protocol. It has its own license and is compatible with other servers that use the same protocol. It is used by different Linux and BSD distributions. Active Directory: it is a directory data store with Microsoft license and implemented in its server operating systems since Windows 2000. Actually, under the structure of Active Directory is an LDAPv3 scheme, so it is also compatible with other systems that implement this protocol. in their directories. Red Hat Directory Server: It is a server that is also based on LDAP similar to Active Directory, but using an open source tool. Within this directory we can store objects such as key users, groups, permission policies, etc. Apache Directory Server: Another great implementation using LDAP is the Apache Software licensed directory. In addition, it implements other protocols such as Kerberos and NTP and has an interface of views typical of relational databases. Novell Directory Services - This is Novell's own directory server for managing access to a resource store on one or more networked servers. It is made up of a hierarchical object-oriented database structure in which all typical directory targets are stored. Open DS: We end this list with the SUN Microsystems java-based directory, which would later be released to all users. Of course, it is developed in JAVA, we will need the Java Runtime Environmet package for it to work.

These are the most interesting features and most relevant information about the LDAP protocol. Of course we will try to expand information with tutorials that we are taking out on this topic.

In the meantime, you may be interested in this information:

We hope this information has been helpful. To add something or tell us what you think about LDAP write us in the comments.