Lightweight Directory Access Protocol (LDAP) is a protocol for accessing directory servers. In other words, LDAP is a directory, not a database. There are no rows or tables in LDAP’s directory and there are no relational links. This means LDAP is a simple yet structured directory design that is easy to navigate.


Every object in LDAP can contain one or more sub-objects, much like the folder and sub-folder relationship used in Windows operating systems. LDAP runs directly over TCP port 389 by default. It is used to store information about users, including the network privileges assigned to each user. Revoking or changing privileges can be done from one entry in the LDAP directory, rather than at many machines across the network. LDAP also supports SSL and TLS for security.


LDAP Key Terms and Components


Following is a list of key terms and components along with their respective definitions.


Distinguished Names

Distinguished Names (DNs) are a fundamental part of LDAP. It is the name that uniquely identifies an entry in the directory. LDAP uses path syntax to identify objects in the store.


Typical Windows path syntax:


DNs work in reverse order, meaning the most specific node is on the left of the path syntax.


Typical example of a DN:



This DN is composed of four Relative Distinguished Name (RDN) parts:


Each RDN is a child of the object whose RDN is to its right. The object deepest in the tree in this DN example is the object, CN=SomeUser.

Each RDN is made up of two parts: the name of the attribute that provides the primary name of the object, and the value of that attribute. In this example, CN, which stands for Common Name, is the name of the attribute that provides the primary name for objects of its class. SomeUser is the value of this attribute. There are also RDN attributes for OU (Organizational Unit) and DC (Domain Component).


Like any file system, the name for an object in an LDAP container must be unique. Thus, CN=Kate uniquely identifies this object within its container, OU=CustomerSupport. As a result, the entire DN uniquely identifies this particular object in the entire directory tree.


Search Operation

The most important operation in LDAP is the ability to search. This is how objects are found in the directory tree and how values are read. The syntax is somewhat different from more familiar query syntaxes such as SQL. However, LDAP is also much simpler than SQL with SQL's joins, sub-queries, ordering, and grouping. An LDAP query is composed of four basic parts: a search root, a search scope, a filter, and a list of attributes to return. There are more parameters and options, but these basic four are enough for most cases.

Search Root

The search root determines the place in the tree from which the search will start. This value is passed as a DN in string format. To search the entire directory, pass the DN of the object that is the root of the tree. To search lower in the hierarchy, specify a lower-level DN.

Search Filter

The search filter determines which objects will be returned in the query. It is analogous to the Where clause in a SQL statement. Each object in the scope of the query will be evaluated against the filter to determine whether or not it matches. Objects that do not meet the filter criteria are eliminated from the search.