mail us  |  mail this page

contact us
training  | 
tech stuff  | 

Chapter 9. LDAP Functional Model

This section describes both the 'wire' protocol that LDAP clients and servers use when communicating and the LDAP URL format which can be used from modern browsers and is used in conjunction with certain objectClasses and features (most notably Dynamic Groups).

If you need to know this stuff carry on, but the really smart thing to do is use the excellent Open Source wireshark (ex-ethereal) to do all the disassembly for you - if wireshark does not support a protocol we have not yet come across it. Wonderful software.

Finally LDAP uses the ITU's BER (Basic Encoding Rules) to save three bytes on each transfer. You will need (and pay handsomely for it) X.690 with defines BER.

Alternatively you can download Prof. John Larmouth's ASN.1 Complete (its free but you must register to get it) or you can purchase a copy from Morgan Kaufmann Publishers (ISBN: 0-12-233435-3). In no way second best is Olivier Dubuisson's ASN.1 - Communication between heterogeneous systems (free but you have to register) another world renowned ASN.1 expert. Again you can purchase his book from Morgan Kaufmann Publishers (ISBN: 0-12-6333361-0). This site has excellent ASN.1 and BER resources.

9. LDAP Functional Model Contents

  1. 9.1 Functional Model Overview
  2. 9.2 Generic Format
  3. 9.3 Primitives (Operations)
  4. 9.4 LDAP URL

9.1 Functional Model Overview

One day real soon now ™

Under Construction

Up Arrow

9.2 Generic Format

One day real soon now ™

Under construction

Up Arrow

9.3 Primitives (Operations)

One day real soon now ™

Under Construction

Up Arrow

9.4 LDAP URL

The LDAP URL is a useful feature - but a bit of a con. The LDAP URL (RFC 4510 and RFC 4516) defines a method by which you can enter something that looks like a URL into some version 5 browsers (MSIE 5.5+ and any Gecko browser supports ldap, Opera 7.x beta and Konqueror do not) and it will perform a LDAP read-only query on the host using the parameters defined in the URL. Both MSIE and Gecko allow you to add any found entries to an address book (and look to have a common code base).

The con bit (we're being very unfair here) is that the browser translates this request into a standard LDAP search/query primitive. The URL'ish notation is just a (useful) browser'ish interface. However, LDAP URLs are also used somewhat more seriously with Dynamic Groups in conjunction with the groupOfURLs objectclass and specifically the memberURL attribute. Dynamic Groups is a non-standard LDAP feature (there is no RFC) which is widely implemented. Very weird.

LDAP URL Format

The formal syntax is:

scheme "://" [host:port] ["/"[dn ["?" [attributes] ["?" [scope] ["?" [filter]
                ["?" extensions]]]]]]

Where:

Param Description

scheme

may be either ldap - basic access on (normally) port 389 or ldaps - SSL access using (normally) port 636.

host:port

optional - if omitted browser will use a default. Otherwise specifies the host URL and optionally the host port number, for instance, ldapserver.example.com or ldapserver.example.com:8777 (uses a non standard port of 8777).

dn

optional - if omitted browser will use a default. Otherwise specifies the DN to use for the search, for instance, ou=people,dc=example,dc=com.

attributes

optional - if omitted all available attributes are returned for the entry. Otherwise specifies the required attributes to be returned in a comma separated list, for example, cn,mail,telephonenumber.

scope

optional - if omitted assumes base. Otherwise specifies the scope of the search and takes one of the following values:

  1. base search only at the level specified by the dn parameter.
  2. one search at the level specified by the dn parameter and one level below in he hirearchy.
  3. sub search at the level specified by the dn parameter and all other levels to the foot of the tree (DIT).

filter

according to the documentation this field is optional - if omitted (objectclass=*) is assumed. This default appears not to be supported on either MSIE or Gecko - you must enter something, for example, (objectclass=*). Otherwise specifies the text form of the search filter.

extensions

The current LDAP RFC (RFC 4516) does not define any extensions

Example LDAP URLs

Connect using anonymous access to host.example.com using port 389 with a DN of ou=people,dc=example.com, return all available attributes for entries, go down one level on the search and return all found entries.

ldap://host.example.com/ou=people,dc=example,dc=com??one?(objectclass=*)

Connect using anonymous access to host.example.com using port 9000 with a DN of ou=people,dc=example.com, return all available attributes for entries, go down one level on the search and return all entries

ldap://host.example.com:9000/ou=people,dc=example,dc=com??one?(objectclass=*)

Connect using anonymous access to a host of the browsers choosing (we can't figure how to configure this one) using port 389 with a DN of ou=people,dc=example.com, return all attributes available for entries, go down one level on the search and return all entries with s or S anywhere in the common name:

ldap:///ou=people,dc=example,dc=com??one?(cn=*s*)

Connect using anonymous access to host.exmple.com using port 389 with a DN of ou=people,dc=example.com, return mail attributes only, go down one level on the search and return all entries which have one or more mail attributes:

ldap://host.example.com/ou=people,dc=example,dc=com?mail?one?(mail=*)

Connect using anonymous access to host.example.com using port 389 with a DN of ou=people,dc=example.com, return all attributes available for entries, seach whole subtree below base DN and return all entries with sn starting with a or A.

ldap://host.example.com/ou=people,dc=example,dc=com???(sn=a*)

Connect using anonymous access to the locally hosted ldap (localhost) using port 389 with a DN of ou=people,dc=example.com, return all attributes available for entries, seach whole subtree below base DN and return all entries with sn starting with a or A.

ldap:///ou=people,dc=example,dc=com???(sn=a*)

Up Arrow



Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Contents

tech info
guides home
intro
contents
1 objectives
big picture
2 concepts
3 ldap objects
quickstart
4 install ldap
5 samples
6 configuration
7 replica & refer
reference
8 ldif
9 protocol
10 ldap api
operations
11 howtos
12 trouble
13 performance
14 ldap tools
security
15 security
appendices
notes & info
ldap resources
rfc's & x.500
glossary
ldap objects
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox

Search

web zytrax.com

Share

Icons made by Icomoon from www.flaticon.com is licensed by CC 3.0 BY
share page via facebook tweet this page

Page

email us Send to a friend feature print this page Display full width page Decrease font size Increase font size

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux

Software

LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns

Organizations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

Site

CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2017 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by super.net.sg
web-master at zytrax
Page modified: October 21 2015.