A directory is a special purpose hierarchical database that usually contains typed information such as text strings, binary data, or X.509 certificates.
LDAP stands for Lightweight Directory Access Protocol. The word Protocol is the key word in the definition given in the preceding sentence, LDAP is NOT hardware or software. It is a protocol that defines how a client and server will communicate with one another.
The Lightweight Directory Access Protocol is defined in a series of Requests For Comments, better known as RFCs. The RFCs can be found on the Internet at http://www.ietf.org/ (the master repository) and many other places. There's a link to all the LDAP-related RFCs at Perl-LDAP's web site, http://perl-ldap.sourceforge.net/rfc.html. Some of the more important RFC numbers are RFC 1777 for LDAPv2 and RFC 2251 for LDAPv3.
In the strictest terms of the definition there is no such thing as a LDAP directory. To be practical about this situation every day directory professionals refer to their directory as " a LDAP directory" because it is easy to say and it does convey the type of protocol used to communicate with their directory. Using this definition a LDAP directory is a directory whose server software conforms to the Lightweight Directory Access Protocol when communicating with a client.
The traditional directory definition of a directory object is called an Entry. Entries are composed of attributes that contain the information to be recorded about an object.
(An entry in LDAP is somewhat analogous to a record in a table in an SQL database, but don't get too hung up about this analogy!)
Entries are held in an upside-down tree structure. Entries can therefore contain subordinate entries, and entries must have one direct superior entry.
Entries with subordinate entries are called 'non-leaf' entries.
Entries without subordinate entries are called 'leaf' entries.
An entry's direct superior entry is called the entry's 'parent'.
'Non-leaf' entries are also said to have 'child' entries.
The entry(s) in a directory are composed of attributes that contain information about the object. Each attribute has a type and can contain one or more values.
is an attribute with a type named "cn", and one value.
Each attribute is described by a 'syntax' which defines what kind of information can be stored in the attributes values. Trying to store a value that doesn't conform to the attribute's syntax will result in an error.
Attributes may also be searched. The algorithms used to perform different kinds of searches are described by the attribute's 'matching rules'. Some matching rules are case-sensitive and some are case-insensitive, for example. Sometimes matching rules aren't defined for a particular attribute: there's no way to search for jpegPhotos that contain a substring!
You can examine all of a server's attribute definitions by reading the schema from the server.
Distinguished Name (DN).
Every entry in a directory has a Distinguished Name, or DN. It is a unique Entry identifier throughout the complete directory. No two Entries can have the same DN within the same directory.
Examples of DNs:
cn=Road Runner, ou=bird, dc=cartoon, dc=com ou=bird, dc=cartoon, dc=com dc=cartoon, dc=com dc=com
What is a Relative Distinguished Name.
Every DN is made up of a sequence of Relative Distinguished Names, or RDNs. The sequences of RDNs are separated by commas (,). In LDAPv2 semi-colons (;) were also allowed. There can be more than one identical RDN in a directory, but they must have different parent entries.
Technically, an RDN contains attribute-value assertions, or AVAs. When an AVA is written down, the attribute name is separated from the attribute value with an equals (=) sign.
Example of a DN:
RDNs of the proceeding DN: RDN => cn=Road Runner RDN => ou=bird RDN => dc=cartoon RDN => dc=com
RDNs can contain multiple attributes, though this is somewhat ususual. They are called multi-AVA RDNs, and each AVA is separated in the RDN from the others with a plus sign (+).
Example of a DN with a multi-AVA RDN:
Where is an entry's name held?
Entries do not contain their DN. When you retrieve an entry from a search, the server will tell you the DN of each entry.
On the other hand, entries do contain their RDN. Recall that the RDN is formed from one or more attribute-value assertions (AVAs); each entry must contain all the attributes and values in the RDN.
For example the entry:
must contain a 'cn' attribute containing at least the value "Road Runner", and an 'l' attribute containing at least the value "Arizona".
The attributes used in the RDN may contain additional values, but the entry still only has one DN.
A search base is a Distinguished Name that is the starting point of search queries.
Example of a DN:
Possible search base(s) for the proceeding DN:
Base => cn=Road Runner,ou=bird,dc=cartoon,dc=com Base => ou=bird,dc=cartoon,dc=com Base => dc=cartoon,dc=com Base => dc=com
Setting the search base to the lowest possible branch of the directory will speed up searches considerably.