LDAP — Lightweight Directory Access Protocol

Bojitha Piyathilake
6 min readApr 4, 2022

--

In this article, I’ll give y’all a brief idea about LDAP and its structure. Then we’ll move into using Apache Directory Studio to manipulate data in an LDAP Server.

What is LDAP?

  • LDAP stands for Lightweight Directory Access Protocol.
  • From its name we can gather that it is a protocol. It works over an IP network for accessing and managing data organized in a hierarchical (tree like) structure.
  • LDAP isn’t the database, but the protocol used to communicate with one. LDAP server software will implement the database.
  • It stores data about users, systems, applications, networks (DNS, DHCP and email servers) and services.
  • It is not like SQL (text based query language), it is a binary protocol, so the data will be in the form of 0s and 1s.
  • LDAP is vendor neutral and can be used with a variety of directory programs.
  • Directory services are not intended to perform complex transactions. For example, rollback schemas aren’t supported
  • LDAP runs over TCP or UDP — Port 389. LDAP over SSL — Port 636.

LDAP Naming Model

Data is stored in a tree structure / directory, called the DIT — Directory Information Tree.

The Naming model defines how entries are identified and organized.

The structure of the database is defined through a schema. You will use the schema to describe the format and attributes of each item in the LDAP server.

Data Storage Structure in LDAP

RDN — Relative DN: Made up of name-value pairs. Eg: cn= Robert Smith. ou=Sales.

DN is the collection of RDNs. Eg: cn=Robert Smith, ou=People, dc=example, dc=com. DN is the complete path to uniquely identify a resource, by describing its position in the DIT.

  1. root is the starting point or source of the tree. It is typically made up of dc values. Eg: wso2.com
  2. dc domainComponent — wso2.com -> dc=wso2, dc=com
  3. c countries
  4. o organization — wso2
  5. ou organizationalUnit — divisions or departments. Eg: marketing, engineering, sales, HR. There can be multiple organizational units
  6. cn common name — Bojitha Piyathilake
  7. sn surname — Piyathilake
  8. dn distinguished name — “cn=Barbara Jenson, ou=Sales, o=Acme, st=California, c=US, dc=com, dc=wso2”

Notice that the DN is made when going up the DIT (Directory Information Tree)

Format of the DN in relation to the Tree Structure | Source: https://www.zytrax.com/books/ldap/apa/dn-rdn.html

Using Apache Directory Studio as the LDAP Server in Ubuntu

Under this section, I will lay out how you can use Apache Directory Studio GUI in Ubuntu to create an LDAP server and add users, modify users, delete users, create organizational units, add a user to a group, perform filtering and searching, etc.

First thing you’re going to want to do is download Apache Directory Studio. Get it from here.

Creating a Server and Establishing a Connection

1. Open Apache Directory Studio

2. Click on the “New Server” button on the LDAP Servers view (window on the bottom left)

3. Select “ApacheDS 2.0.0”

4. Click on the “Start Server” button right next to the new server button.

5. Right click on the server you started > Select “Create a Connection”

6. Go to the connections tab.

7. Right click on the connection in the connections tab and select “Properties”

8. Hostname: Localhost. Port number: 10389

9. Click on the “Open Connection” button next to the create connection button. Or right click on the connection and click on “Open Connection”.

Now you will be able to observe your DIT. It will look something like below.

Directory Information Tree (DIT) in Apache Directory Studio

Adding a User

  1. Right click on ou=users along the DIT.
  2. New entry > Create from scratch > objectClass = inetOrgPerson > Next
  3. dn can either be cn, uid, etc basis. This is the unique identifier for the user. Select whatever you want to use (I usually go with uid) and add the value > Click Next
  4. Add an sn and finish.

What is an Object Class?

All LDAP entries are typed, meaning they all belong to a particular objectClass, which helps to identify the type of data represented by the entry. An object class will represent the mandatory and optional attributes associated with an entry of that class.

Object classes are also in the form of a hierarchy, with “top” and “alias” being at the root of the hierarchy. OrganizationalPerson is a subclass of Person object class, which is a subclass of top object class.

When creating an entry we need to include all the object classes the entry belongs to along with the superclasses. For example, with the inerOrgPerson object class we can assign the attributes such as givenName, cn, sn etc to an entry.

Basically, the object classes determine what attributes an entry should/can have.

Adding new Attributes for a User

1. Go to the user entry in question

2. Click on the add attribute button

3. Select the relevant attribute type out of the list. Eg: userPassword, mail, etc.

4. Click Finish

5. Enter the value for the newly added attribute.

To Update an Attribute

  1. Double-click the value related to the attribute and change — Observe the change in the modification logs view (the window at the bottom of the screen).

Adding a new organizational unit

  1. Right click the node under which you want to add the new ou > New > Create from scratch
  2. objectClass = organizationalUnit > Click Next
  3. RDN: ou, value: name of the ou > Click Finish

Adding Groups under the Groups ou

  1. Right click on the Groups ou > New > Create from scratch
  2. objectClass = groupOfUniqueNames > Click Next
  3. RDN: cn or uid, value: name of the group > Click Finish

Finding the DN or URL of any resource

  1. Right click on the resource > Properties
Properties of an entry

Adding a user into a group such as Admin

  1. Copy the user’s dn.
  2. Go to the administrator group and add a new attribute named: uniqueMember.
  3. Paste the copied dn.

Searching and Filtering in LDAP

1. Right click on a particular node under which you wish to search > Click Quick Search

2. In the proceeding window we need to enter the filter details

  • Search Base: What level of the directory you will perform your search under.
  • Filter: The filtering conditions need to be mentioned here
  • Returning attributes: We can specify which attributes we need.

3. Click Apply and Close to perform the search.

If you want to know more about filters refer to this site (LDAP Filters), it is super simple to understand. But to get you started off here are some basic filters which should help you to create your own more complex filters.

  • (ObjectClass=*)

Any entry will have some object class. So this filter basically retrieves all entries.

  • (ObjectClass=Person)

Retrieves all entries who have an object class of Person

  • (&(ObjectClass=Person)(uid=Geralt))

Filters out the user with an object class of Person AND whose uid is Geralt.

Only the entries who meet all the conditions will be retrieved.

  • (|(uid=n*)(uid=d*))

Filters out users whose uid starts with d OR n.

The entries that meet condition 1 or 2 will be retrieved.

LDAP Filters

The order of execution is indeterminate, like an SQL WHERE clause: it depends on the indexing, index sizes, etc.

That’s all for this one folks. In my next blog, I’ll show y’all how to write a Java program to connect to an LDAP server and perform the operations which we have done with the GUI. See you there!

--

--

Bojitha Piyathilake
Bojitha Piyathilake

Written by Bojitha Piyathilake

I am an undergraduate at the University of Moratuwa following a degree in Information Technology and Management.

No responses yet