Index Changes

Understanding the LDAP Binding Component

Table of Contents

About LDAP

Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to access information directories. A directory service is a distributed database application designed to manage the entries and attributes in a directory. LDAP allows clients to access different directory services based on entries. These LDAP entries are available to users and other applications based on access controls. LDAP runs over TCP/IP.

Image shows the LDAP BC architecture.

The Lightweight Directory Access Protocol (LDAP) Binding Component (BC) is a comprehensive solution for interacting with an LDAP Directory running on an LDAP server. The design time component of the LDAP BC is a NetBeans module that allows configuration of the Binding Component. The runtime is based on Java EE and JBI. It implements all the necessary interfaces available in the JBI specification.

The topics below provide information about LDAP and the directory structure.

Entries, Attributes and Values

An LDAP directory has entries that contain information pertaining to entities. Each attribute has a name and one or more values. The names of the attributes are mnemonic strings, such as cn for common name, or mail for email address.

For example, a company may have an employee directory. Each entry in the employee directory represents an employee. The employee entry contains such information as the name, email address, and phone number, as shown in the following example:

cn: John Doe
telephoneNumber: 471-6000 x.1234

Each part of the descriptive information, such as an employee's name, is known as an attribute. In the example above, the Common Name (cn) attribute, represents the name of the employee. The other attributes are mail and telephoneNumber. Each attribute can have one or more values. For example, an employee entry might contain a mail attribute whose values are and In the example above, the mail attribute contains two mail values.

LDAP Directory Structure

The organization of a directory is a tree structure. The topmost entry in a directory is known as the root entry. This entry normally represents the organization that owns the directory. Entries at the higher level of hierarchy represent larger groupings or organizations. Entries under the larger organizations represent smaller organizations that make up the larger ones. The leaf nodes (or entries) of the tree structure represent the individuals or resources.

Distinguished Names and Relative Distinguished Names

An entry is made up of a collection of attributes that have a unique identifier called a Distinguished Name (DN). A DN has a unique name that identifies the entry at the respective hierarchy. In the example above, John Doe and Jane Doe are different common names (cn) that identify different entries at that same level.

A DN is also a fully qualified path of names that trace the entry back to the root of the tree. For example, the distinguished name of the John Doe entry is:

cn=John Doe,ou=People,

A Relative Distinguished Name (RDN) is a component of the distinguished name. DNs describe the fully qualified path to an entry; RDNs describe the partial path to the entry relative to another entry in the tree.

For example, cn=John Doe,ou=People is a RDN relative to the root RDN

The following figure illustrates an example of an LDAP directory structure with distinguished names and relative distinguished names.

LDAP Directory Structure

Image shows the LDAP BC architecture.

LDAP Service and LDAP Client

A Directory Service is a distributed database application designed to manage the entries and attributes in a directory. A directory service also makes the entries and attributes available to users and other applications. OpenLDAP server is an example of a directory service. Other directory services include Sun Active Directory Service and Microsoft Active Directory.

A directory client uses the LDAP protocol to access a directory service. A directory client may use one of several client APIs available in order to access the directory service.

Terms and Definitions

It is helpful to understand the following common terms when working with the LDAP directory and LDAP BC.
Schema A set of rules that describes the nature of data is stored. Schemas helps maintain consistency and quality data, and reduces duplication of data. The object class attribute determines the schema rules an entry must follow. Schemas define the following:
* Required attributes
* Allowed attributes
* The method to compare attributes
* Limits to what the attribute can store (for example, restricting the attribute to an integer)
* Restrictions on what information is stored (prevents duplication)
Attribute Abbreviation The following are common attribute abbreviations used in LDAP:
* User id : uid
* Common Name ; cn
* Surname : sn
* Location : l
* Organizational Unit : ou
* Organization : o
* Domain Component : dc
* State : st
* Country : c
* Street address : street
Search Filters Criteria for attributes that must satisfy for an entry to be returned. Search filters typically use a base DN, which is the base object entry the search is relative to. They also use prefix notations. LDAP uses the following standards:
* LDAP String Representation of Search Filters
* LDAPv3 Search Filters

The following search operators are supported:

  • AND : &
  • OR : |
  • NOT : !
  • Approximately equal : ~=
  • Greater than or equal : >=
  • Less than or equal : <=
  • Any : *

Below are some examples of search filters:

  • (objectclass=posixAccount)
  • (cn=Mickey M*)
  • (|(uid=fred)(uid=bill))}
  • (&(|(uid=jack)(uid=jill)(objectclass=posixAccount))

Previous Next

Return to GlassFish ESB Documentation Home

JSPWiki v2.4.100
« Home Index Changes Prefs
This page (revision-24) was last changed on 24-Jul-09 14:15 PM, -0700 by CarolT