test

Understanding the LDAP Binding Component

About LDAP

Lightweight Directory Access Protocol (LDAP), is an Internet protocol used to access information directories. LDAP runs over TCP/IP. A directory service is a distributed database application designed to manage the entries and attributes in a directory.

LDAP allows clients to access different directory services based on entries. These LDAP entries are available to users and other applications based on access controls.

LDAP OpenLDAP Server

The Lightweight Directory Access Protocol (LDAP) Binding Component (BC) is a comprehensive solution for interacting with a LDAP Directory running on a LDAP server. The design time component of the LDAP Binding Component is a NetBeans module that allows configuration of the Binding Component. The runtime is based on Java EE and JBI. It implements all the necessary interfaces available in the JBI specification.

Entries, Attributes and Values

An LDAP directory has entries that contain information pertaining to entities. Each attribute has a name and one or more values. The names of the attributes are mnemonic strings, such as cn for common name, or mail for email address.

For example, a company may have an employee directory. Each entry in the employee directory represents an employee. The employee entry contains such information as the name, email address, and phone number, as shown in the following example:


cn: John Doe
 

mail: johndoe@sun.com
 

mail: jdoe@stc.com
 

telephoneNumber: 471-6000 x.1234

Each part of the descriptive information, such as an employee's name, is known as an attribute. In the example above, the Common Name (cn) attribute, represents the name of the employee. The other attributes are mail and telephoneNumber.

Each attribute can have one or more values. For example, an employee entry may contain a mail attribute whose values are johndoe@sun.com and jdoe@stc.com. In the previous example, the mail attribute contains two mail values.

LDAP Directory Structure

The organization of a directory is a tree structure. The topmost entry in a directory is known as the root entry. This entry normally represents the organization that owns the directory.

Entries at the higher level of hierarchy, represent larger groupings or organizations. Entries under the larger organizations represent smaller organizations that make up the larger ones. The leaf nodes (or entries) of the tree structure represent the individuals or resources.

Distinguished Names and Relative Distinguished Names

An entry is made up of a collection of attributes that have a unique identifier called a Distinguished Name (DN). A DN has a unique name that identifies the entry at the respective hierarchy. In the example above, John Doe and Jane Doe are different common names (cn) that identify different entries at that same level.

A DN is also a fully qualified path of names that trace the entry back to the root of the tree. For example, the distinguished name of the John Doe entry is:


cn=John Doe, ou=People, dc=sun.com

A Relative Distinguished Name (RDN) is a component of the distinguished name.

For example, cn=John Doe, ou=People is a RDN relative to the root RDN dc=sun.com.

Note –

DNs describe the fully qualified path to an entry

RDN describe the partial path to the entry relative to another entry in the tree.

The figure illustrates an example of an LDAP directory structure with distinguished names and relative distinguished names.

LDAP Directory Structure

LDAP Directory Structure

LDAP Service and LDAP Client

A Directory Service is a distributed database application designed to manage the entries and attributes in a directory. A directory service also makes the entries and attributes available to users and other applications. OpenLDAP server is an example of a directory service. Other directory services include Sun Active Directory Service (Sun Microsystems) and Microsoft Active Directory.

A directory client uses the LDAP protocol to access a directory service. A directory client may use one of several client APIs available in order to access the directory service.

Terms and Definitions

  1. Schema

    • Set of rules that describes the nature of data is stored

    • Helps maintain consistency and quality data

    • Reduces duplication of data

    • Object class attribute determines schema rules the entry must follow

    • Schema contains the following,

      • Required attributes

      • Allowed attributes

      • The method to compare attributes

      • Limit what the attribute can store, that is, restrict to integer

      • Restrict what information is stored, that is, stops duplication

  2. Attribute Abbreviation

    • User id : uid

    • Common Name ; cn

    • Surname : sn

    • Location : l

    • Organizational Unit : ou

    • Organization : o

    • Domain Component : dc

    • State : st

    • Country : c

    • Street address : street

  3. Search Filters

    • Criteria for attributes that must satisfy for entry on return

    • Base dn = base object entry search relative to

    • Prefix notation

    • Standards

      • LDAP String Representation of Search Filters

      • LDAPv3 Search Filters

    • Operators

      • AND : &

      • OR : |

      • NOT : !

      • Approximately equal : ~=

      • Greater than or equal : >=

      • Less than or equal : <=

      • Any : *

    • Example,

      • (objectclass=posixAccount)

      • (cn=Mickey M*)

      • (|(uid=fred)(uid=bill))

      • (&(|(uid=jack)(uid=jill)(objectclass=posixAccount))