Appendix D - LDAP Glossary

The glossary gives a quick definition or a term and may contain a link to further information either on this site or off-site.

Term	Explanation
anonymous	A session is described as anonymous if neither a DN nor a password (credentials) is supplied when initiating the session (sending the bind). LDAP defines a state called unauthorized in which a DN is supplied with the bind but no password. The net effect of such a bind in OpenLDAP is to create an anonymous session.
ASN.1	The ITU-T's Abstract Syntax Notation One (X.208/X.680 series). A language for describing and encoding rules for data representation. ASN.1 is used to encode protocol data units (PDUs a.k.a messages, blocks or frames) using a variety of encoding systems including BER (Basic Encoding Rules X.690), CER (Canonical Encoding Rules), DER (Distinguished Encoding Rules), XER (XML Encoding Rules) and PER (Packed Encoding Rules X.691). In the case of LDAP only the simpler BER is used rather than the stupifyingly complicated PER. ASN.1 OIDs described. ASN.1 SYNTAX overview.
Attribute	The data in an entry is contained in attribute-value pairs. Each attribute has a name (and sometimes a short form of the name) and belongs to an objectClass. The attributes characteristics are fully described by an ASN.1 definition. One or more objectClasses may be included in a Schema. Depending on the ASN.1 definition of the attribute there can be one (SINGLE-VALUE) or more that one (default) attribute-value pair of the same named attribute in an entry. One (or more) attribute(s), the naming attribute or RDN, will always uniquely identify an entry.
authenticated	A session is described as authenticated if a user DN and secret is supplied when initiating the session (sending the bind).
AVA	Attribute Value Assertion.
Base	The base entry (a.k.a root and suffix) is one of many terms commonly used to describe the topmost entry in a DIT or naming-context. The term base seems to be used because the search scope base in a LDAP URL or other search typically uses this value. The Root DSE is the highest level in an LDAP enabled directory. Base Naming.
BER	Basic Encoding Rules an ITU-T binary format (defined in X.690) for formating ASN.1 fields for transmission within a protocol. In a number of cases, notably search filters, LDAP uses strings rather than binary (BER) encodings.
bind	When connection is made to an LDAP server the first operation of the sequence is called a bind. The bind operation sends the dn of the entry that will be used for authentication and the password to be used. In the case of an anonymous bind both values will be NULL.
Chaining	When a Referral ObjectClass is encountered by and LDAP server during a search operation it may be returned as a Referral to the requesting client or the Server may be configured to follow the referral using a processing known as chaining through use of the overlay chain directive. By default OpenLDAP returns referrals but may be configured to implement chaining with consequent performance overheads. For more information.
Client	Client a.k.a LDAP Client describes a piece of software that provides access to an LDAP sever. Most standard web browsers (MSIE and Gecko) provide limited LDAP client capabilities using LDAP URLs. LDAP browsers and web interfaces are both very common examples of LDAP clients. List of Open Source Clients.
Component Matching	Compaonent Matching (RFC 3687) provides both an alternative (but longer) search filter syntax for simple attributes and a method by which components (parts or instances) of compound attributes may be extracted and searched. More Information.
contextCSN	The Change Sequence Number (CSN) of the context (the highest entryCSN used in the context or synchronization search scope). CSNs (both entryCSN and contextCSN are extensively used in OpenLDAP syncrepl style replication operations. The contextCSN is included in the SyncCookie. CSNs appear to be only defined in an expired RFC draft draft-chu-ldap-csn-xx.txt and for version 2.4 in this FAQ.
consumer	Describes a server which uses (consumes) a service which is supplied by a provider server. An example of a consumer is an RFC 4533 Sync Client used in replication.
CSN	The Change Sequence Number (CSN) used OpenLDAP to identify changes in a replicated configuration. CSNs appear to be only defined in an expired RFC draft draft-chu-ldap-csn-xx.txt and for version 2.4 in this FAQ.
DAP	Directory Access Protocol. X.500 term for an OSI based network protocol that enables access to a DSA and which implies the directory data model.
DIT	The Directory Information Tree (a.k.a the naming-context. The DIT is the hierarchy of objects that make up the local directory structure. More than one DIT may be supported by an LDAP server. The Root DSE will provide this information. Further Information
DN	The Distinguished Name. A DN is comprised of a series of RDNs that uniquely describe the naming attributes on the path UP the DIT from the required entry to the directory root. A DN is written LEFT to RIGHT and looks something like this: DN: uid=bill,ou=people,dc=smokeyjoe,dc=com More info.
DSA	Directory System Agent. X.500 term for any DAP or LDAP enabled directory service e.g. an LDAP server.
DSE	DSA Specific Entry (DSE). A control entry in a local directory server.
entry	The name given to a stored object in a LDAP enabled directory. Each entry has one parent entry (object) and zero or more child entries (objects). The data content of an entry consist of one or more attributes one (or more) of which is (are) used as the naming attribute (more correctly the RDN) to uniquely identify this object in the DIT.
entryCSN	The Change Sequence Number (CSN) of the entry. CSNs (both entryCSN and contextCSN are extensively used in OpenLDAP syncrepl style replication operations. CSNs appear to be only defined in an expired RFC draft draft-chu-ldap-csn-00.txt and for version 2.4 in this FAQ.
entryUUID	An attribute containing the Universally Unique ID (UUID) of a DIT entry. Servers are now mandated to create an entryUUID attribute when adding new entries to any DIT. The UUID is defined in RFC 4122 and the LDAP implementation and syntax of entryUUID in RFC 4530. The RFC defines both the entryUUID syntax together with uuidMatch and uuidOrderingMatch matching rules.
EQUALITY	EQUALITY defines the comparison rule of an attribute when used in a search filter which contains NO wildcards both contents and length must be exactly the same. When wildcards are used this is called a substring and the SUBSTR rule is used. Attribute definition.
filter	An LDAP search is carried out by defining a base DN , a scope and a search filter.
LDAP	Lightweight Directory Access Protocol. IETF term for an TCP/IP based network protocol that enables access to a DSA. Some reduced functionality from X.500 DAP specification.
LDIF	LDAP Data Interchange Format. IETF term for a textual format for loading (importing) and saving (exporting) entries into a LDAP enables directory. LDIF is defined by RFC 2849.
matchingRule	The method by which an attribute is compared in a search operation. A matchingRule is an ASN.1 definition which contains an OID (usually) a name e.g. caseIgnoreMatch (OID = 2.5.13.2) and the data type it operates on e.g. DirectoryString. More Information.
name space	Term used to describe all DNs that lie in (or are contained within or bounded by) a given DIT i.e. if the DIT root is dc=example,dc=com then cn=people,dc=example,dc=com is said to lie in the name space but ou=people,dc=example,dc=net does not - it lies in the dc=example,dc=net name space.
naming attribute	One attribute, the naming attribute (a.k.a RDN) is used to uniquely identify each entry in the DIT.
naming context	a.k.a namingContext or DIT defines a unique name space starting from (and including) the root DN.
objectClass	Object Classes are collections of attributes. They define: For each attribute whether it is mandatory (MUST) or optional (MAY) the hierarchy of object classes and hence inheritance Each objectclass is uniquely identified by an OID.
OID	An Object IDentifier (OID) is a dot-separated valued e.g. 2.5.6.2 (OID of country objectclass) that uniquely defines an object and who is responsible for its definition. OIDs used in LDAP.
Operational	Operational Objects are used by the LDAP server to provide informational about the server or to control how the server behaves. They live under the Root DSE) and can be interrogated to yield the secrets of the known universe.
ORDERING	ORDERING defines the comparison rule of an attribute when used in a search filter which contains >= or <= operators. Attribute definition.
Organizational Unit	organizationalUnit (ou) defines an arbitrary organisational unit and can be used at multiple levels in the hierarchy. Its value will typically be relevant in the context in which it is used. Thus in the context of defining an ITU format root name (ou,c format) it will likely be the name of the company or organisation (or even organization), in the context of a lower level in the hierarchy it may be 'people' or or 'manufacturing' or 'usa' or 'usa-manufacturing' or anything else that makes sense and requires the attributes defined by the object.
Ports	LDAP uses the TCP/IP protcol and connects to port 389 (ldap) for non-ssl access and 636 when using SSL (ldaps).
primary	primary name is the first name that appears in an attributetype definition. The primary name MUST be used when indexing an attribute using the index directive in slapd.conf. Example: attributetype ( 2.5.4.3 NAME ( 'cn' 'commonName' ) SUP name ) In the above example cn is the primary name of this attribute.
provider	Describes a server which provides a service which is consumed (or used) by one or more other server or clients. An example of a provider is an RFC 4533 Sync Server used in replication. The more cynical would suggest that provider = master, consumer = slave, the more nuanced will spend hours describing the difference.
RDN	The Relative Distinguished Name (frequently but incorrectly written as Relatively Distinguished Name). The name given to an attribute(s) that is unique at its level in the hierarchy. RDNs may be single valued or multi-valued in which case two or more attributes are combined using '+' (plus) to create the RDN e.g. cn+uid. The term RDN is only meaningful when used as part of a DN to uniquely describe the attributes on the path UP the DIT from a selected entry (or search start location) to the directory root (or more correctly the Root DSE). More info.
referral	A referral is where the LDAP server returns to an LDAP Client the name of (typically a LDAP URL) another LDAP server which may, or does, contain the requested information. Configuring Referrals. LDAP Servers may be configured to automatically follow referrals using a process known as chaining.
root	The root entry (a.k.a base, suffix) is one of many terms used to describe the topmost entry in a DIT. The Root DSE is a kinda super root. Root Naming.
rootdn	The rootdn is a confusingly named directive in the slapd.conf file which defines the DN of the superuser for each DIT which can bypass normal directory access rules. The rootdn does not need to appear in the directory, or even be related, in any way, to the DIT structure.
Root DSE	Conceptually the topmost entry in a LDAP hierarchy - think of it as a super root and normally invisible i.e. not accessed in normal operations. Sometimes confused with root or base or suffix. DSE stands for DSA Specific Entry and DSA in turn stands for Directory System Agent (any directory enabled service providing DAP or LDAP access). Information about the rootDSE may be obtained in OpenLDAP by querying the OpenLDAProoDSE classobject or to ant LDAP server (including OpenLDAP) by issuing an anonynmous bind with an empty base DN ("") and will provide information about protocol versions supported, services supported and the naming-context(s) or DIT(s) supported.
scope	Used in two senses: search scope: may be base in which case only the supplied DN is used, one in which case the search descends one level from the supplied DN or sub in which case descends the hierarchy from the DN to the lowest level in the tree (DIT). name scope:
Schema	A package of attributes and object classes that are sometimes (nominally) related. The schema(s) in which the object classes and attributes that the application will use (reference) are packaged are identified to the LDAP server so that it can read and parse all that wonderful ASN.1 stuff. In OpenLDAP this done using the slapd.conf file.
search	An LDAP search is carried out by defining a base DN , a scope and a search filter.
session	A session occurs between a LDAP client and a server when the client sends a bind command. A session may be either anonymous or authenticated.
slapd	slapd is one of two daemons that run the OpenLDAP service (the other being slurpd). slapd provides the local LDAP service and is configured using the slapd.conf file.
slapd.conf	slapd.conf is a static configuration file used by slapd and, where configured, slurpd. OpenLDAP version 2.2+ introduced an alternative, run-time configuration capability (slapdp.d (cn=config).
slurpd	slurpd is one of two daemons that run the OpenLDAP service (the other being slapd). slurpd provides the LDAP replication service if required and is configured using the slapd.conf and ldap.conf files. More information on Replication. slurpd style replication was obsoleted in OpenLDAP version 2.4+ and replaced with syncreply style replication.
subordinate	OpenLDAP documentation uses the term subordinate database (DIT) to define a DIT which is referenced in a referral object. Since referral objects delegate the search for the remaining part of the DN to the referred DIT they may be viewed as a hierarchy and the referred DIT as subordinate in that hierarchy. Unfortunately OpenLDAP also uses the term superior whose definition is much more dubious. Configuration and use of Referrals.
SUBSTR	SUBSTR defines the comparison rule of an attribute when used in a search filter which contains wildcards. When the whole string is used the EQUALITY rule is used. Attribute definition.
substring	substring refers to any string values used in a search filter which contains wildcards. The form of the comparison e.g. case sensitive or case insensitive is defined by the SUBSTR rule in the attribute definition.
subtype	LDAPv3 defines a number of subtypes at this time two have been defined binary (in RFC 2251) and lang (in RFC 2596). subtypes may be used when referencing an attribute and qualify e.g. cn;lang-en-us=smith would perform a search using US english. The subtype does not affect the encoding since UTF-8 (used for cn) allows for all language types. lang subtypes are case insensitive.
suffix	suffix (a.k.a root, base) is one of many terms used to describe the topmost entry in a DIT. The term is typically used because this entry is usually defined in the suffix parameter in a OpenLDAP's slapd.conf file. The Root DSE is a kinda super root. Suffix Naming.
superior	OpenLDAP documentation uses the term superior database (DIT) to define a DIT from which another DIT is referenced in a referral object. Since referral objects delegate the search for the remaining part of the DN to the referred DIT they may be viewed as a hierarchy and the DIT which contains the referral is superior to the referred DIT. A DIT which is the destination of a referral is known as subordinate. Configuration and use of Referrals.
supportedExtension	The LDAP specifications (RFCs) allow for optional capabilities and extensions. If an LDAP server supports a particular extension its OID will be published in the rootDSE. RFC3674 defines the attribute supportedFeatures in the rootDSE which will yield a list of supported features and extensions.
SyncCookie	A cookie sent by a provider to a consumer during sysncrepl style replication. Detail and configuration of Replication.
syncrepl	A method of Replication based on the LDAP Content Synchronization protocol (RFC 4533) and released in OpenLDAP version 2.2. From OpenLDAP version 2.4 all other replication methods are obsoleted. Named from the syncrepl configuration directive. For information about Replication.
types	types (a.k.a. data types) is commonly used to refer to the ASN.1 SYNTAX of an attribute. LDAP Data types.
unauthorized	A session is described as unauthorized if a DN is supplied without a password (credentials) when initiating the session (sending a bind). The net effect of such a bind in OpenLDAP (it must be explicity permitted with a allow bind_anon_dn) is to create an anonymous session.

Appendix D - LDAP Glossary

Contents

Resources

Systems

Applications

Organisations

Misc.