• We had to restore from a backup today after a failed software update. Backup was from 0000 EDT and restored it at 0800 EDT so we lost about 8hrs. Today is 07/20/2024. More info here.

TCP/IP Protocol: Lightweight Directory Access Protocol (LDAP)


Jarret W. Buse

TCP/IP Protocol: Lightweight Directory Access Protocol (LDAP)

Lightweight Directory Access Protocol (LDAP) has two main uses:

  • Access a hierarchical set of records
  • Sign into a network once for access to all resources
When accessing a set of records, LDAP can allow a user to access the records. For example, a user can search a list of employee records containing company phone numbers and e-mail addresses.

For company intranets, a user can log on once and be granted access to allowable company resources without having to type in the password for each resource. The authentication occurs once and grants the user an Access Control List (ACL) which is a list of user permissions. When the user attempts to use a new resource the ACL is checked to determine if the user has proper privileges to access the resource.

LDAP was created by Steve Kille of Isode Limited, Tim Howes of the University of Michigan, Colin Robbins of Nexor and Wengyik Yeong of Performance Systems International in 1993. Originally, LDAP was known as Lightweight Directory Browsing Protocol (LDBP).

The director structure accessible by LDAP is based on the X.500 model based on the following:

  • Each entry is made up of attributes
  • Each attribute has a name with one or more values defined in a schema
  • Each entry has a unique identifier called a Distinguished Name (DN)
  • The DN consists of a Relative Distinguished Name (RDN)
NOTE: Let’s assume an e-mail address ([email protected]) as an example. The RDN would be JohnDoe and the DN would be Linux.Org.

The schema is a set of rules to define the content and layout of the data within the database.

LDAP uses TCP or UDP at the default port of 389. The client can connect to an LDAP Server sometimes known as a Directory System Agent (DSA). The client sends a request to the DSA and the DSA responds appropriately. The LDAP commands consist of the following:

  • ADD – Adds a new entry into the database. If the entry already exists, the command will generate an error
  • BIND – Authenticates a user when creating a session
  • DELETE – Removes an entry from the database. The entry must exist and the client must have the privileges when authenticated to delete an entry
  • SEARCH – Searches the database for a specific entry
  • COMPARE – A search where the DN, attribute name and value are checked for equality
  • MODIFY – Allows clients to make changes to an existing entry. The entry must exist and the client must have proper privileges to modify the entry
  • MODIFY DN – Allows modification of the DN and ultimately the RDN
  • Extended Operations – Commands that were not original to LDAP but have been added, such as StartTLS
  • STARTTLS – Establishes Transport Layer Security (TLS) for data encryption between the client and server
  • ABANDON – Aborts an operation request
  • UNBIND – Abandons current operations and closes the session
NOTE: Unbind should be performed and not simply close the LDAP session from the client side. Unbind performs a graceful session close.
The connection to an LDAP resource is: ldap://host:port/DN?attributes?scope?filter?extensions where:

  • Host – IP Address or domain name of LDAP server
  • Port – LDAP TCP or UDP Port (389 by default)
  • DN – Distinguished Name of search
  • Attribute – list of attributes separated by commas
  • Scope – the search scope
  • Filter – search filter
  • Extensions – extension to URL format
To make a Linux LDAP Server you perform the following:

  1. # apt-get install slapd ldap-utils migrationtools
  2. #dpkg-reconfigure slapd
  3. $ ldapsearch -x -b dc=debuntu,dc=local
This command may cause an error because the service is not running. If an error occurs, perform the following command:
  1. # /etc/init.d/slapd start
Now the LDAP Service is running and you can place data into the database.

For the clients, perform the following:

sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db ldapscripts nscd

Once installed, you can configure the program by typing:

sudo dpkg-reconfigure ldap-auth-config

The configuration settings are as follows:
  1. ldap://servername.linux.org – set to match your LDAP server name
  2. dc=linux,dc=org – exchange with your domain
  3. ldap version to use – set to 3 for LDAPv3
  4. make local database admin – answer yes
  5. Does the ldap database require login – answer no
  6. cn=admin,dc=linux,dc=org – sets LDAP root account
  7. ldap root account password – sets the root account password
The next step is to configure another configuration file: cp /etc/nsswitch.conf /etc/nsswitch.conf.

Change or add the following:

passwd: files ldap
group: files ldap
shadow: files ldap

Once these items are set, save and exit the editor. Then you need to edit another configuration file: /etc/ldap.conf.

host Use ldap server ip
dc=linux,dc=org Use base dn
uri ldap://servername.linux.org Use ldap url
ldap_version 3 Set ldap version
rootbinddn ou=admin,dc=linux,dc=org Set ldap admin user

Now save these changes and exit to open another configuration file:


BASE dc=linux,dc=org Set with your domain
HOST servername.linux.org Use ldap server hostname

Save and exit with these changes and open /etc/ldap.secret. In this file, type in your root admin password you previously set then save and exit the file.

Type the following command: chmod 600 /etc/ldap.secret. Then type the following: sudo nss_updatedb ldap.

There are only two more items to do before we are finished. Type the following: sudo auth-client-config -t nss -p lac_ldap then type sudo pam-auth-update. Here you will press OK and Enter.


  • slide.jpg
    56.3 KB · Views: 36,277

Sir ,

How can i use LDAP sever in RPC application .I'm asking about native app.
Sir ,

How can i use LDAP sever in RPC application .I'm asking about native app.

If I understand what you are asking, I believe your answer may be Puppet found at http://puppetlabs.com/puppet/what-is-puppet.

It sounds as if you are looking for something similar to the Windows Systems Management Server where you can manipulate the network to execute specific code at specific times or on demand (such as updates). Puppet works for Linux and seems to be a close candidate that is open source.
Perhaps you can point me in the right direction...

I am trying to figure out how to "talk" with an LDAP server directly with TCP IP.
I am having difficulty finding a simple how to do this.

I am looking for something like this:

1) open a tcp ip connection on port 389.
2) send a request
3) receive a reply
4) etc

Every where I look I see lots of librarys but I cant figure out where the simple underlying info is??

Members online

Latest posts