Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Introduction to OpenLDAP

Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.

The Lightweight Directory Access Protocol, or LDAP, is a protocol for querying and modifying an X.500-based directory service running over TCP/IP. The current LDAP version is LDAPv3, as defined in RFC 4510, and the implementation used in Ubuntu is OpenLDAP.

The LDAP protocol accesses directories. It’s common to refer to a directory as an LDAP directory or LDAP database as a shorthand – although technically incorrect, this shorthand is so widely used
that it’s understood as such.

Key concepts and terms

  • A directory is a tree of data entries that is hierarchical in nature; it is called the Directory Information Tree (DIT).

  • An entry consists of a set of attributes.

  • An attribute has a key (a name or description) and one or more values. Every attribute must be defined in at least one objectClass.

  • Attributes and objectClasses are defined in schemas (an objectClass is considered a special kind of attribute).

  • Each entry has a unique identifier: its Distinguished Name (DN or dn). This, in turn, consists of a Relative Distinguished Name (RDN) followed by the parent entry’s DN.

  • The entry’s DN is not an attribute. It is not considered part of the entry itself.

Note:
The terms object, container, and node have certain connotations but they all essentially mean the same thing as entry (the technically correct term).

For example, below we have a single entry consisting of 11 attributes where the following is true:

  • DN is cn=John Doe,dc=example,dc=com

  • RDN is cn=John Doe

  • parent DN is dc=example,dc=com

 dn: cn=John Doe,dc=example,dc=com
 cn: John Doe
 givenName: John
 sn: Doe
 telephoneNumber: +1 888 555 6789
 telephoneNumber: +1 888 555 1232
 mail: [email protected]
 manager: cn=Larry Smith,dc=example,dc=com
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top

The above entry is in LDAP Data Interchange Format format (LDIF). Any information that you feed into your DIT must also be in such a format. It is defined in RFC 2849.

A directory accessed via LDAP is good for anything that involves a large number of access requests to a mostly-read, attribute-based (name:value) backend, and that can benefit from a hierarchical structure. Examples include an address book, company directory, a list of email addresses, and a mail server’s configuration.

Our OpenLDAP guide

For users who want to set up OpenLDAP, we recommend following our series of guides in this order:

References

Previous SSSD Next Security: Security

This page was last modified 2 months ago. Help improve this document in the forum.