Wikipedia

Lightweight Directory Access Protocol and Template talk:Dundee F.C. squad: Difference between pages

(Difference between pages)
Content deleted Content added
VisualWikitext
 
added template
 
Line 1:
{{Football|class=Template|importance=NA}}
In [[computer networking]], the '''Lightweight Directory Access Protocol''', or '''LDAP''' ({{IPA2|ˈɛl dap}}), is a [[networking protocol]] for querying and modifying [[directory service]]s running over [[Internet protocol suite|TCP/IP]].
==Surname sort==
 
The default sort is by squad number, but only 2 players are shown with a number, 20 have no number. This is unusual as no other squad list has more numberless unless the whole squad is numberless.
A directory is a set of information with similar attributes organized in a logical and hierarchical manner. The most common example is the telephone directory, which consists of a series of names (either of a person or organization) organized alphabetically, with an address and phone number attached.
So I went with the majority and sorted by surname. The club article has no squad numbers shown at all, so this sort method seems to make sense. &nbsp;<font face="verdana">[[User:Slumgum|slυмgυм]]<small>&nbsp;[[User talk:Slumgum|[&nbsp;←]][[Special:Contributions/Slumgum|→&nbsp;]]]</small></font> 17:43, 25 June 2007 (UTC)
 
An LDAP directory often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use [[Domain Name System]] (DNS)
names for structuring the topmost levels of the hierarchy. Deeper inside the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else which represents a given tree entry (or multiple entries).
 
Its current version is LDAPv3. LDAPv3 is specified in a series of [[Internet Engineering Task Force|IETF]] Standard Track [[Request for Comments|RFC]]s as detailed in RFC 4510.
 
==Origin and influences==
Unsurprisingly, telecommunication companies introduced the concept of directories to information technology ([[computer networking]]). No doubt their understanding of directory requirements were heavily influenced by some 70 years of producing and managing telephone directories. The culmination of this input was the [[X.500]] specification, produced by the [[ITU|International Telecommunication Union (ITU)]] at a time when information technology (computers) were an organized and well-considered venture (aka pre-public-access Internet).
 
By most accounts the X.500 protocol is an extremely well engineered and thoroughly thought out specification. However, it suffers from being so thorough that even in the late '90s there were very few implementations of it and those that existed required significant computing power.
 
Unfortunately the computing resources required to implement and deploy X.500 at the time were prohibitively expensive, and so LDAP, the "Lightweight" Directory Access Protocol was developed. LDAP reduced its "weight" by only implementing a subset of the X.500 protocol and was originally designed as a gateway to X.500 servers rather than a complete standalone service.
 
LDAP was originally intended to be a lightweight alternative protocol for accessing [[X.500]] directory services. X.500 directory services were traditionally accessed via the X.500 Directory Access Protocol, or [[Directory Access Protocol|DAP]], which required the cumbersome [[Open Systems Interconnection]] (OSI) protocol stack. With LDAP, a client could access these directory services without all of the overhead. This model of directory access was borrowed from [[DIXIE]] and the [[Directory Assistance Service]].
 
Standalone LDAP directory servers soon followed, as did directory servers supporting both DAP and LDAP. The former has become popular in enterprises as they removed any need to deploy an OSI network. Today, X.500 directory protocols including DAP can also be used directly over [[TCP/IP]].
 
The protocol was originally created by [[Tim Howes]] of the [[University of Michigan]], [[Steve Kille]] of [[ISODE]] and Wengyik Yeong of [[Performance Systems International]], circa 1993. Further development has been done via the [[Internet Engineering Task Force]] (IETF).
 
Note that in the early engineering stages of LDAP, it was known as ''Lightweight Directory Browsing Protocol'' or ''LDBP''. It was renamed as the scope of the protocol was expanded to not only include directory browsing functions (i.e., search) but also directory update functions (i.e., modify).
 
LDAP has influenced subsequent Internet protocols, including later versions of [[X.500]], [[XML Enabled Directory|XML Enabled Directory (XED)]], [[Directory Service Markup Language|Directory Services Markup Language (DSML)]], [[SPML|Service Provisioning Markup Language (SPML)]], and the [[Service Location Protocol|Service Location Protocol (SLP)]].
 
==Protocol overview==
A client starts an LDAP session by connecting to an LDAP server, by default on [[Transmission Control Protocol|TCP]] [[TCP and UDP port|port]] 389. The client then sends operation requests to the server, and the server sends responses in turn. With some exceptions the client need not wait for a response before sending the next request, and the server may send the responses in any order.
 
The basic operations are:
 
* Start TLS - protect the connection with [[Transport Layer Security]] (TLS), to have a more secure connection
* Bind - [[Authentication|authenticate]] and specify LDAP protocol version
* Search - search for and/or retrieve directory entries
* Compare - test if a named entry contains a given attribute value
* Add a new entry
* Delete an entry
* Modify an entry
* Modify DN - move or rename an entry
* Abandon - abort a previous request
* Extended Operation - generic operation used to define other operations
* Unbind - close the connection (not the inverse of Bind)
In addition the server may send "Unsolicited Notifications" that are not responses to any request, e.g. before it times out a connection.
 
A common alternate method of securing LDAP communication is using an SSL tunnel. This is denoted in LDAP URLs by using the URL scheme "ldaps". The standard port for LDAP over [[Secure Socket Layer|SSL]] is 636.
 
LDAP is defined in terms of [[Abstract syntax notation one|ASN.1]], and protocol messages are encoded in the binary format [[Basic encoding rules|BER]]. It uses textual representations for a number of ASN.1 fields/types, however.
 
==Directory structure==
The protocol accesses LDAP directories, which follow the [[X.500]] model:
 
* A directory is a tree of directory entries.<br>
* An entry consists of a set of attributes.<br>
* An attribute has a name (an ''attribute type'' or ''attribute description'') and one or more values. The attributes are defined in a ''schema'' (see below).
* Each entry has a unique identifier: its ''Distinguished Name'' (DN). This consists of its ''Relative Distinguished Name'' (RDN) constructed from some attribute(s) in the entry, followed by the parent entry's DN. Think of the DN as a full filename and the RDN as a relative filename in a folder.
 
Be aware that a DN may change over the lifetime of the entry, for instance, when entries are moved
within a tree. To reliably and unambiguously identify entries, a [[UUID]] may be provided in the set of the entry's ''operational attributes''.
 
An entry can look like this when represented in [[LDIF]] format (LDAP itself is a binary protocol):
 
dn: cn=John Doe,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 555 6789
telephoneNumber: +1 555 1234
mail: john@example.com
manager: cn=Barbara Doe,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
 
dn is the name of the entry; it's not an attribute nor part of the entry. "cn=John Doe" is the entry's RDN, and "dc=example,dc=com" is the DN of the parent entry. The other lines show the attributes in the entry. Attribute names are typically mnemonic strings, like "cn" for common name, "dc" for ___domain component, and "mail" for e-mail address.
 
A server holds a subtree starting from a specific entry, e.g. "dc=example,dc=com" and its children. Servers may also hold references to other servers, so an attempt to access "ou=Some department,dc=example,dc=com" could return a ''referral'' or ''continuation reference'' to a server which holds that part of the directory tree. The client can then contact the other server. Some servers also support ''chaining'', which means the server contacts the other server and returns the results to the client.
 
LDAP rarely defines any ordering: The server may return the values in an attribute, the attributes in an entry, and the entries found by a search operation in any order.
 
==Operations==
The client gives each request a positive Message ID, and the server response has the same Message ID. The response includes a numeric result code which indicates success, some error condition or some other special cases. Before the response, the server may send other messages with other result data - for example each entry found by the Search operation is returned in such a message.
 
{{Sectstub}}
:''Expand discussion of referral responses to various operations, especially modify, for example where all modifies must be directed from replicas to a master directory.''
 
===StartTLS===
The StartTLS operation establishes [[Transport Layer Security]] (the descendant of SSL) on the connection. That can provide data confidentiality (cannot be read by third parties) and/or data integrity protection (protect from tampering). During TLS negotiation the server sends its [[X.509]] certificate to prove its identity. The client may also send a certificate to prove its identity. After doing so, the client may then use SASL/EXTERNAL to have this identity used in determining the identity used in making LDAP authorization decisions.
 
Servers also often support the non-standard "LDAPS" ("Secure LDAP", commonly known as "LDAP over SSL") protocol on a separate port, by default 636. LDAPS differs from LDAP in two ways: 1) upon connect, the client and server establish TLS before any LDAP messages are transferred (without a Start TLS operation) and 2) the LDAPS connection must be closed upon TLS closure.
 
The StartTLS operation was not available in LDAPv2.
 
===Bind (authenticate)===
The Bind operation authenticates the client to the server. Simple Bind can send the user's DN and password - in cleartext, so the connection should be protected using [[Transport Layer Security]] (TLS). The server typically checks the password against the userPassword attribute in the named entry. Anonymous Bind (with empty DN and password) resets the connection to anonymous state. [[SASL]] (Simple Authentication and Security Layer) Bind provides authentication services through a wide range of mechanisms, e.g. [[Kerberos (protocol)|Kerberos]] or the client certificate sent with TLS.
 
Bind also sets the LDAP protocol version. Normally clients should use LDAPv3, which is the default in the protocol but not always in LDAP libraries.
 
Bind had to be the first operation in a session in LDAPv2, but is not required in LDAPv3 (the current LDAP version).
 
===Search and Compare===
The Search operation is used to both search for and read entries. Its parameters are:
* baseObject - the DN (Distinguished Name) of the entry at which to start the search,
* scope - baseObject (search just the named entry, typically used to read one entry), singleLevel (entries immediately below the base DN), or wholeSubtree (the entire subtree starting at the base DN).
* filter - how to examine each entry in the scope. E.g. (&(objectClass=person)(|(givenName=John)(mail=john*))) - search for persons who either have given name John or an e-mail address starting with john.
* derefAliases - whether and how to follow alias entries (entries which refer to other entries),
* attributes - which attributes to return in result entries.
* sizeLimit, timeLimit - max number of entries, and max search time.
* typesOnly - return attribute types only, not attribute values.
 
The server returns the matching entries and maybe continuation references (in any order), followed by the final result with the result code.
 
The Compare operation takes a DN, an attribute name and an attribute value, and checks if the named entry contains that attribute with that value.
 
===Update operations===
Add, Delete, and Modify DN - all require the DN of the entry that is to be changed.
 
Modify takes a list of attributes to modify and the modifications to each: Delete the attribute or some values, add new values, or replace the current values with the new ones.
 
Add operations also can have additional attributes and values for those attributes.
 
Modify DN (move/rename entry) takes the new RDN (Relative Distinguished Name), optionally the new parent's DN, and a flag which says whether to delete the value(s) in the entry which match the old RDN. The server may support renaming of entire directory subtrees.
 
An update operation is atomic: Other operations will see either the new entry or the old one. On the other hand, LDAP does not define transactions of multiple operations: If you read an entry and then modify it, another client may have updated the entry in the mean time. Servers may implement extensions which support this, however.
 
===Extended operations===
The Extended Operation is a generic LDAP operation which can be used to define new operations. Examples include the Cancel, Password Modify and Start TLS operations.
 
===Abandon===
The Abandon operation requests that the server aborts an operation named by a message ID. The server need not honor the request. Unfortunately, neither Abandon nor a successfully abandoned operation send a response. A similar Cancel extended operation has therefore been defined which does send responses, but not all implementations support this.
 
===Unbind===
The Unbind operation abandons any outstanding operations and closes the connection. It has no response. The name is of historical origin: It is ''not'' the opposite of the Bind operation.
 
Clients can abort a session by simply closing the connection, but they should use Unbind. Otherwise the server cannot tell the difference between a failed network connection (or a truncation attack) and a discourteous client.
 
==LDAP URLs==
An LDAP [[URL]] format exists which clients support in varying degree, and which servers return in referrals and continuation references (see RFC 4516):<br>
"ldap://host:port/DN?attributes?scope?filter?extensions"<br>
where most components after "ldap://" can be omitted.
 
''attributes'' is a comma-separated list of attributes to retrieve.<br>
''scope'' can be "base" (the default), "one" or "sub".<br>
''filter'' e.g, (objectClass=*) see RFC 4515.<br>
''extensions'' are extensions to the LDAP URL format.<br>
As in other URLs, special characters must be escaped with %hex format.
 
There is a similar non-standard "ldaps:" URL scheme for LDAP over SSL.
 
For example, "ldap://ldap.example.com/cn=John%20Doe,dc=example,dc=com" refers to all user attributes in John Doe's entry in ldap.example.com. "ldap:///dc=example,dc=com??sub?(givenName=John)" searches for him in the default server.
 
==Schema==
The contents of the entries in a subtree is governed by a [[schema]].
 
The schema defines the ''attribute types'' that directory entries can contain. An attribute definition includes a ''syntax'', and most non-binary values in LDAPv3 use [[UTF-8]] string syntax. For example, a "mail" attribute might contain the value "user@example.com". A "jpegPhoto" attribute would contain photograph(s) in binary [[JPEG]]/JFIF format. A "member" attribute contains the DNs of other directory entries. Attribute definitions also specify whether the attribute is single-valued or multi-valued, how to search/compare the attribute (e.g. case-sensitive vs. case-insensitive and whether substring matching is supported), etc.
 
The schema defines ''object classes''. Each entry must have an objectClass attribute, containing named classes defined in the schema. The schema definition of the classes of an entry defines what kind of object the entry may represent - e.g. a person, organization or ___domain. The object class definitions also list which attributes the entry MAY and MUST contain. For example, an entry representing a person might belong to the classes "top" and "person". Membership in the "person" class would require the entry to contain the "sn" and "cn" attributes, and allow the entry also to contain "userPassword", "telephoneNumber", and other attributes. Since entries may belong to multiple classes, each entry has a complex of optional and mandatory attribute sets formed from the union of the object classes it represents.
 
The schema also includes various other information controlling directory entries.
 
Most schema elements have a name and a globally unique [[Object identifier]] (OID).
 
Directory servers may publish the directory schema controlling an entry at a base DN given by the entry's subschemaSubentry operational attribute. (An ''operational attribute'' describes operation of the directory rather than user information and is only returned from a search when it is explicitly requested.)
 
Server administrators can define their own schemas in addition to the standard ones. A schema for representing individual people within organizations is termed a [[white pages schema]].
 
==Variations==
A lot of the server operation is left to the implementor or administrator to decide. Accordingly, servers may be set up to support a wide variety of scenarios.
 
For example, data storage in the server is not specified - the server may use flat files, databases, or just be a gateway to some other server. Access control is not standardized, though there has been work on it and there are commonly used models. Users' passwords may be stored in their entries or elsewhere. The server may refuse to perform operations when it wishes, and impose various limits.
 
Most parts of LDAP are extensible. Examples: One can define new operations. ''Controls'' may modify requests and responses, e.g. to request sorted search results. New search scopes and Bind methods can be defined. Attributes can have ''options'' that may modify their semantics.
 
==Other data models==
As LDAP has gained momentum, vendors have provided it as an access protocol to other services. The implementation then recasts the data to mimic the LDAP/X.500 model, but how closely this model is followed varies. For example, there is software to access [[SQL]] databases through LDAP, even though LDAP does not readily lend itself to this. [[X.500]] servers may support LDAP as well.
 
Similarly, data which were previously held in other types of data stores are sometimes moved to LDAP directories. For example, Unix user and group information can be stored in LDAP and accessed via [[Pluggable Authentication Modules|PAM]] and [[Name Service Switch|NSS]] modules. LDAP is often used by other services for authentication.
 
==Usage==
 
===Applications===
One reason to choose LDAP for a service is that it is quite widely supported, and data presented in LDAP is thus immediately available to many clients and libraries. Another is that LDAP is very general and includes basic features like security, and can support many types of applications.
 
Thus, if one chooses a few general protocols like LDAP and [[Hypertext Transfer Protocol|HTTP]] for various services, one can focus on these few protocols instead of having to maintain and upgrade many specialized protocols.
 
Two common applications of LDAP are for computer user/group data, and for address book information (persons, departments etc). Many e-mail clients support LDAP lookups.
 
Some tasks LDAP does not handle well are to model a relational database, and data whose ordering must be preserved. (Though an extension does exist for the latter.)
 
===Naming structure===
Since an LDAP server can return referrals to other servers for requests the server itself will not/can not serve, a naming structure for LDAP entries is needed so one can find a server holding a given DN. Since such a structure already exists in the [[Domain name system]] (DNS), servers' top level names often mimic DNS names.
 
If an organization has ___domain name foo.bar.baz, its top level LDAP entry will therefore typically have the DN dc=foo,dc=bar,dc=baz (where dc means ___domain component). If the ldap server is also named ldap.foo.bar.baz, the organization's top level LDAP URL becomes ldap://ldap.foo.bar.baz/dc=foo,dc=bar,dc=baz.
 
Below the top level, the entry names will typically reflect the organization's internal structure or needs rather than DNS names.
 
==Terminology==
The LDAP terminology one can encounter is quite a mess. Some of this is due to misunderstandings, other examples are due to its historical origins, others arise when used with non-X.500 services that use different terminology.
 
For example, "LDAP" is sometimes used to refer to the protocol, other times to the protocol and the data. An "LDAP directory" may be the data or also the access point. An "attribute" may be the attribute type, or the contents of an attribute in a directory, or an attribute description (an attribute type with ''options''). An "anonymous" and an "unauthenticated" Bind are different Bind methods that both produce anonymous authentication state, so both terms are being used for both variants. The "uid" attribute should hold user names rather than numeric user IDs.
 
==Supporting vendors==
LDAP has gained wide support from vendors such as:
* [[Apache Software Foundation|Apache]] (through [[Apache Directory Server]])
* [[Apple Computer|Apple]] (through Open Directory/OpenLDAP)
* [[AT&T]]
* [[Avaya]] (through [[Directory Enabled Management]])
* [[Banyan (company)|Banyan]]
* [http://www.ca.com/ CA] (through [http://www3.ca.com/solutions/Product.aspx?ID=160 eTrust Directory])
* [http://www.cisco.com/ Cisco]
* [http://www.criticalpath.net/ Critical Path]
* [[eB2Bcom]] (through [[View500]])
* [[RedHat]] through Fedora Directory Server aka Red Hat Directory server
* [[Hewlett-Packard]]
* [[Identyx]]
* [[International Business Machines|IBM]]/[[Lotus Development|Lotus]]
* [[ISODE]] (through M-Vault server)
* [http://www.maxware.com/ MaXware] (through MaXware Virtual Directory)
* [[Microsoft]] (through [[Active Directory]])
* [[Netscape]] (now in [[Sun Microsystems]] and [[Red Hat]] products)
* [[NITIX]]
* [[Novell]] (through [[Novell eDirectory|eDirectory]])
* [[OctetString]] (through VDE server)
* [[Oracle Corporation|Oracle]] (through [[Oracle Internet Directory]])
* [[Radiant Logic]] (through RadiantOne Virtual Directory Server)
* [http://www.redhat.com/en_us/USA/home/solutions/directoryserver/ Red Hat Directory Server ]
* [[Siemens AG]] (through DirX server)
* [[Silicon Graphics|SGI]] and
* [[Sun Microsystems|Sun Microsystems]] [http://www.sun.com/software/products/directory_srvr_ee/index.xml Directory Server Enterprise Edition 6] and Sun Java Systems Directory Server 5.2
* [http://www.symlabs.com/ Symlabs] (through [http://www.symlabs.com/Products/DirExt.html Directory Extender 3.0])
as well as in [[open source]]/[[free software]] implementations such as [[OpenLDAP]], [[Fedora Directory Server]] and the [http://lds.linbox.org Linbox Directory Server].
Also the [[Apache HTTP Server]] used as a [[proxy]] (by the module mod_proxy) supports LDAP.
 
===LDAP implementations===
* [http://directory.apache.org Apache Directory Server]
* [http://www3.ca.com/solutions/Product.aspx?ID=160 CA eTrust Directory]
* [http://theLDAPcompany.com AE SLAPD LDAP Server for Windows]
* [http://www.criticalpath.net/ Critical Path] Directory Server and Meta Directory Server
* [http://directory.fedora.redhat.com Fedora Directory Server]
* [http://www.redhat.com/software/rha/directory/ Red Hat Directory Server]
* [[OpenLDAP]]
* [http://alphacentauri.co.nz SIDVault] (Simple Integration Database)
* [http://www.novell.com/products/edirectory/ Novell eDirectory]
* [http://www.sun.com/dsee Sun Directory Server Enterprise Edition]
* [[IBM SecureWay Directory]]
* [[IBM Tivoli Directory Server]] (formerly IBM Directory Server)
* [[IBM Lotus Domino]]
* [http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx Windows Server 2003 Active Directory]
* [http://www.siemens.com Siemens] DirX
* [http://www.view500.com View500]
* [http://en.wikipedia.org/wiki/Oracle_Internet_Directory Oracle Internet Directory]
* [http://www.fefe.de/tinyldap/ tinyldap] a small LDAP implementation
 
===LDAP clients and libraries===
* [http://www.plangear.com/ldapxl/ LDAPxl], A directory services add-in for Microsoft Office that allows you to query LDAP servers and import data directly into your Excel worksheet, Word document, and Access database.
* [http://lds.linbox.org Linbox Directory Server], offers a [[Web-interface]] to manage the [[Samba (software)|Samba]] [[___domain controller]] and the LDAP [[directory service]].
* [[phpLDAPadmin]], a web-based LDAP browser/server manager
* [http://edsadmin.sourceforge.net/ EDS Admin tool]
* [http://www.softerra.com/products/ldapbrowser.php Softerra] Freeware Browser and paid for Administrator products
* [http://www.jxplorer.org JXplorer java OSS LDAP Client]
* [[GQ (software)|GQ]] ([http://sourceforge.net/projects/gqclient Homepage]) (GTK+ based)
* [[Luma (Software)|Luma]] ([http://luma.sourceforge.net Homepage]), written in Python (Qt based)
* [http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod Net::LDAP] Perl API, written in Perl
* [http://www.perldap.org PerLDAP], an interface to the C SDK API, and a set of Object Oriented Perl classes
* [http://python-ldap.sourceforge.net/ Python-LDAP], LDAP API for the [[Python (programming language)|Python]] language
* [http://rubyforge.org/projects/ruby-activeldap/ ActiveLDAP], Object oriented LDAP API for [[Ruby programming language|Ruby]]
* [http://rubyforge.org/projects/net-ldap/ Ruby Net::LDAP], Pure [[Ruby programming language|Ruby]] LDAP API
* [http://www.maxware.com/ MaXware] - Directory Explorer (free Windows LDAP Browser client)
* [http://www.mozilla.org/directory/ Mozilla Directory (LDAP) SDK Project] - clients and C, Java and Perl libraries
* [http://oss.gonicus.de/gosa/index.php/Main_Page Gosa ] Gosa: A PHP Based Admin tool
* [http://jamm.sourceforge.net/ Jamm] Jamm, (Java Mail Manager) is a web application to manage virtual email account information stored in an LDAP directory.
* [http://ldapadmin.sourceforge.net/ LDAP Admin], an open source LDAP client for Windows
* [http://www.symlabs.com/ Symlabs] Virtual Directory Server - LDAP Proxy - LDAP Gateway
* [http://www.ldapservices.com/ LDAP Services] LDAP clients for ActiveX and .Net
 
==References==
{{FOLDOC}}
* [http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/ic/&toc=comp/mags/ic/2004/05/w5toc.xml&DOI=10.1109/MIC.2004.44]LDAP: Framework, Practices, and Trends
* The [[X.500]] series - ITU-T Rec. X.500 to X.521
* [[Abstract syntax notation one|ITU-T Rec. X.680]], "Abstract Syntax Notation One (ASN.1) - Specification of Basic Notation", 1994
* [[Basic encoding rules]] (BER) - ITU-T Rec. X.690, "Specification of ASN.1 encoding rules: Basic, Canonical, and Distinguished Encoding Rules", 1994
* RFC 4346 - The [[Transport Layer Security|TLS]] Protocol Version 1.1
* RFC 4422 - Simple Authentication and Security Layer ([[SASL]])
* [http://www.iana.org/assignments/sasl-mechanisms SASL mechanisms] registered at IANA
 
==See also==
* [[LDAP Data Interchange Format]] (LDIF)
* [[LDAP Application Program Interface]]
* [[Directory service]]
* [[X.500]]
* [[Transport Layer Security|Transport Layer Security (TLS)]]
* [[SASL|Simple Authentication and Security Layer (SASL)]]
 
==External links==
*[http://www.ldapservices.com/ ActiveX and .Net LDAP libraries] LDAP Services
*[http://www.paldap.org/ PALDAP, A Lazy Directory Administrator's Pal] An LDAP Wiki
*[http://www.emailman.com/ldap/public.html Public LDAP Servers] Look up people at many different universities, institutions, etc.
*[http://www.tldp.org/HOWTO/LDAP-HOWTO/ Linux LDAP HOWTO]
*[http://www.bind9.net/ldap/ LDAP Articles, Links, Whitepapers]
*[http://www.bind9.net/ldap-tools LDAP Software, Tools & Utilities]
*[http://twistedmatrix.com/users/tv/ldap-intro/ldap-intro.html Nice Neat Introduction To LDAP with examples ]
*[http://www.ilex.fr/openldap.htm OpenLDAP install for Windows with support of the LDAPS protocol]
*[http://forge.novell.com/modules/xfmod/project/showfiles.php?group_id=1318 LDAP Libraries for C#].
*[http://www.zytrax.com/books/ldap/ LDAP for Rocket Scientists] - Comprehensive LDAP Guide/Tutorial
*[http://www.mark-macdonald.com/ldap/ OpenLDAP Chaining] - A guide to chaining implementation with OpenLDAP
*[http://www.freesoftwaremagazine.com/free_issues/issue_03/ldap/ The importance of LDAP] A commentary by Tom Jackiewicz about LDAP
*[http://nermus.its.ac.id/show/main.php?track0=3&track1=0&&howto=central-auth&xml=no HOWTO on LDAP + SASL + KERBEROS Master/Slave Central Authentication] A Complex Howto By Danang Wijanarko
*[http://www.techie-blogs.com/wordpress/web/net/ldap-to-sql-perl-code/ LDAP to SQL] - Perl code extracting from a hierarchical structure and producing a relational one
*[http://wiki.debian.org/LDAP A Wiki for using LDAP in Debian]
*[http://yolinux.com/TUTORIALS/LinuxTutorialLDAP.html A loose collection of Linux LDAP tutorials]
*[http://www.nabber.org/projects/oneldap/ OneLDAP] An LDAP gateway to standard protocols like POP3 and IMAP.
*[http://www.skills-1st.co.uk/papers/ldap-schema-design-feb-2005/index.html LDAP schema design]
*[http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/index.html Security with LDAP]
===Articles===
* [http://www.trizsite.com/articles/jul2006/Inventions%20on%20LDAP%20data%20storage-%20A%20study%20based%20on%20US%20patents.pdf Inventions on LDAP data storage- A study based on US patents ]
* [http://www.trizsite.com/articles/jul2006/Inventions%20on%20LDAP%20data%20storage-%20A%20TRIZ%20based%20analysis.pdf Inventions on LDAP data storage- A TRIZ based analysis]
* [http://www.trizsite.com/articles/aug2006/Inventions%20on%20LDAP%20security-%20A%20TRIZ%20based%20analysis.pdf Inventions on LDAP security- A TRIZ based analysis]
* [http://www.trizsite.com/articles/aug2006/Inventions%20on%20LDAP%20data%20management-%20a%20TRIZ%20based%20analysis.pdf Inventions on LDAP data management- a TRIZ based analysis ]
* [http://www.trizsite.com/articles/aug2006/Inventions%20on%20LDAP%20Administration-%20A%20TRIZ%20based%20analysis.pdf Inventions on LDAP Administration- A TRIZ based analysis ]
* [http://www.trizsite.com/articles/aug2006/Inventions%20on%20Data%20Searching%20in%20LDAP.pdf Inventions on Data Searching in LDAP- A TRIZ based analysis ]
* [http://www.trizsite.com/articles/aug2006/Inventions%20on%20LDAP%20access%20interface.pdf Inventions on LDAP access interface- a TRIZ based analysis ]
* [http://www.trizsite.com/articles/sep2006/Inventions%20on%20Extending%20LDAP%20functionality.pdf Inventions on Extending LDAP functionality- A TRIZ based Analysis ]
* [http://www.trizsite.com/articles/sep2006/Inventions%20on%20Integrating%20LDAP%20with%20other%20directories.pdf Inventions on Integrating LDAP with other directories- A TRIZ based analysis ]
* [http://www.trizsite.com/articles/sep2006/Inventions%20on%20using%20LDAP%20for%20different%20purposes-Part-1.pdf Inventions on using LDAP for different purposes-Part-1]
* [http://www.trizsite.com/articles/sep2006/Inventions%20on%20using%20LDAP%20for%20different%20purposes-Part-2.pdf Inventions on using LDAP for different purposes-Part-2]
* [http://www.trizsite.com/articles/sep2006/Inventions%20on%20using%20LDAP%20for%20different%20purposes-Part-3.pdf Inventions on using LDAP for different purposes-Part-3 ]
 
===LDAP fora===
* [http://www.umich.edu/~dirsvcs/ldap/mailinglist.html LDAP mailinglist at umich.edu]
* "#ldap" [[Internet Relay Chat|IRC]] channel in the [[freenode]] IRC network
* [http://www.ietf.org/html.charters/ldapbis-charter.html LDAP (v3) Revision (ldapbis) Working Group]
* [https://www1.ietf.org/mailman/listinfo/ldapext LDAPext] (LDAP Extensions) mailing list - originally created for an [[IETF]] [[working group]]. The list is archived at [[Gmane]].
 
===RFCs===
LDAP is currently specified in a series of [[Request for Comments]] documents:
* RFC 4510 - Lighweight Directory Access Protocol (LDAP) Technical Specification Roadmap (replaced the previous LDAP Technical specification, RFC 3377, in its entirety)
* RFC 4511 - Lightweight Directory Access Protocol (LDAP): The Protocol
* RFC 4512 - Lightweight Directory Access Protocol (LDAP): Directory Information Models
* RFC 4513 - Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms
* RFC 4514 - Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names
* RFC 4515 - Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters
* RFC 4516 - Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator
* RFC 4517 - Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules
* RFC 4518 - Lightweight Directory Access Protocol (LDAP): Internationalized String Preparation
* RFC 4519 - Lightweight Directory Access Protocol (LDAP): Schema for User Applications
 
The following RFCs detail LDAP-specific Best Current Practices:
* RFC 4520 (also BCP 64) - Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP) (replaced RFC 3383)
* RFC 4521 (also BCP 118) - Considerations for Lightweight Directory Access Protocol (LDAP) Extensions
 
The following is a partial list of RFCs specifying LDAPv3 extensions:
* RFC 2247 - Use of [[Domain Name System|DNS]] domains in distinguished names
* RFC 2307 - Using LDAP as a [[Network Information Service]]
* RFC 2589 - LDAPv3: Dynamic Directory Services Extensions
* RFC 2649 - LDAPv3 Operational Signatures
* RFC 2696 - LDAP Simple Paged Result Control
* RFC 2798 - inetOrgPerson LDAP Object Class
* RFC 2849 - The LDAP Data Interchange Format ([[LDIF]])
* RFC 2891 - Server Side Sorting of Search Results
* RFC 3045 - Storing Vendor Information in the LDAP root DSE
* RFC 3062 - LDAP Password Modify Extended Operation
* RFC 3296 - Named Subordinate References in LDAP Directories
* RFC 3671 - Collective Attributes in LDAP
* RFC 3672 - Subentries in LDAP
* RFC 3673 - LDAPv3: All Operational Attributes
* RFC 3687 - LDAP Component Matching Rules
* RFC 3698 - LDAP: Additional Matching Rules
* RFC 3829 - LDAP Authorization Identity Controls
* RFC 3866 - Language Tags and Ranges in LDAP
* RFC 3909 - LDAP Cancel Operation
* RFC 3928 - LDAP Client Update Protocol
* RFC 4370 - LDAP Proxied Authorization Control
* RFC 4373 - LBURP
* RFC 4403 - LDAP Schema for UDDI
* RFC 4522 - LDAP: Binary Encoding Option
* RFC 4523 - LDAP: X.509 Certificate Schema
* RFC 4524 - LDAP: COSINE Schema (replaces RFC 1274)
* RFC 4525 - LDAP: Modify-Increment Extension
* RFC 4526 - LDAP: Absolute True and False Filters
* RFC 4527 - LDAP: Read Entry Controls
* RFC 4528 - LDAP: Assertion Control
* RFC 4529 - LDAP: Requesting Attributes by Object Class
* RFC 4530 - LDAP: entryUUID
* RFC 4531 - LDAP Turn Operation
* RFC 4532 - LDAP Who am I? Operation
* RFC 4533 - LDAP Content Sync Operation
 
LDAPv2 was specified in the following RFCs:
* RFC 1777 - Lightweight Directory Access Protocol (replaced RFC 1487)
* RFC 1778 - The String Representation of Standard Attribute Syntaxes (replaced RFC 1488)
* RFC 1779 - A String Representation of Distinguished Names (replaced RFC 1485)
 
LDAPv2 was moved to historic status by the following RFC:
* RFC 3494 - Lightweight Directory Access Protocol version 2 (LDAPv2) to Historic Status
 
[[Category:Internet protocols]]
[[Category:Internet standards]]
[[Category:Identity management]]
 
[[ar:إل داب]]
[[bs:LDAP]]
[[bg:LDAP]]
[[cv:LDAP]]
[[cs:LDAP]]
[[de:Lightweight Directory Access Protocol]]
[[es:LDAP]]
[[eu:LDAP]]
[[fr:Lightweight Directory Access Protocol]]
[[id:LDAP]]
[[it:Lightweight Directory Access Protocol]]
[[nl:Lightweight Directory Access Protocol]]
[[ja:Lightweight Directory Access Protocol]]
[[no:Lightweight Directory Access Protocol]]
[[pl:Lightweight Directory Access Protocol]]
[[pt:Lightweight Directory Access Protocol]]
[[ro:LDAP]]
[[ru:LDAP]]
[[sk:LDAP]]
[[fi:LDAP]]
[[sv:LDAP]]
[[tr:LDAP]]
[[uk:Простий протокол доступу до каталогів]]
[[zh:轻型目录访问协议]]
Retrieved from "https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol"