Lightweight Directory Access Protocol (LDAP)

Definition of Lightweight Directory Access Protocol (LDAP) in The Network Encyclopedia.

What is LDAP (Lightweight Directory Access Protocol)?

An Internet protocol for accessing and updating information in an X.500-compliant directory. Users who run Lightweight Directory Access Protocol (LDAP) clients can connect to an X.500 directory service and add, delete, modify, or search for information if they have the appropriate access rights to the directory.

For example, a user can use an LDAP client to search a network directory for individuals, users, companies, or other information stored in the directory.

LDAP is designed to run over TCP/IP and can access information in both X.500-based directories and many non-X.500-based directories. The current version of LDAP is LDAPv3.

How it works

LDAP was designed by researchers at the University of Michigan to be an easier, more streamlined version of the standard X.500 Directory Access Protocol (DAP), which requires a full Open Systems Interconnection (OSI) protocol stack to run. LDAP consists of only 16 commands - 8 requests and 8 responses. These commands enable users to access, read, modify, and delete information in the directory if they have the appropriate permissions. Objects are referenced using their distinguished names, as in an X.500-based directory.

A directory that is designed specifically for LDAP clients is called an LDAP directory, but this is essentially the same as the X.500 directory structure. An LDAP directory is a distributed directory; portions of the directory can be stored on different directory servers in the network. These directory servers periodically synchronize with each other to keep their information up to date. The root of an LDAP directory branches into countries, then organizations, then organizational units (departments, sections, and so on), and finally into leaf objects, which can include people, servers, printers, and other network objects.

Microsoft Exchange Server stores its directory information in an X.500-style directory. Microsoft Outlook Express is a simple LDAP client that can be used to access personal information about recipients in an Exchange organization.

NOTE

Directory services that are not fully X.500-compliant but can be accessed and managed using LDAP are sometimes called LDAP directory services. An example of an LDAP directory is Active Directory in Microsoft Windows 2000.

Objects within an LDAP directory are identified by their distinguished names, the standard namespace for X.500 directories. Distinguished names are also sometimes referred to as the LDAP Standard Naming Convention.

An LDAP Uniform Resource Locator (URL) is another naming convention that can be used to allow LDAP clients to access objects in an LDAP directory. An LDAP URL is formed by appending the distinguished name of the directory object to the fully qualified domain name (FQDN) of the server containing the LDAP directory. For example, if Active Directory is installed on the server Server7.Microsoft.com, and the distinguished name of the object being referenced in Active Directory is

DC=com,DC=Microsoft,OU=Users,CN=Jeff Smith

the LDAP URL for referencing this object using an LDAP client is

LDAP://Server7.Microsoft.com/CN=Jeff
Smith/OU=Users/DC=Microsoft/DC=com