Beruflich Dokumente
Kultur Dokumente
ABSTRACT
This paper describes the Lightweight Directory Access Protocol (LDAP), which provides
low-overhead access to the X.500 directory. LDAP includes a subset of full X.500 func-
tionality. It runs directly over TCP and uses a simplified data representation for many
protocol elements. These simplifications make LDAP clients smaller, faster, and easier to
implement than full X.500 clients. Our freely available implementation of the protocol is
also described. It includes an LDAP server and a client library that makes writing LDAP
programs much easier.
Timothy A. Howes
System Agent). No matter which server a The time and size limit service controls are
client connects to, it sees the same view of included directly in the search request.
the directory. If a server is unable to answer (They are not included with the other opera-
a client’s request, it can either chain the tions.) The searchAliases search control and
request to another server, or refer the client dereferenceAliases service control are com-
to the server. bined in a single derefAliases parameter in
the LDAP search. The ASN.1 [11] definition
of the LDAP search request is shown in Fig-
3. Overview of LDAP ure 3.
al
qu
rr
su
lt
es
cess, a size or time limit was exceeded, etc.). The LDAP bind operation supports a subset
Having a final terminator packet allows cli- of X.500 bind functionality. It allows only
ents and servers to stream results more eas- simple authentication, consisting of a clear-
ily, handling one entry at a time. This is text password, and Kerberos version 4
especially useful in memory-constrained authentication [6], which translates into an
environments where holding the collection X.500 external authentication method. The
of all entries from a large search is not possi- LDAP bind operation includes a choice of
ble. credentials, allowing for future expansion of
available authentication methods.
The X.500 list and read operations are not
included in LDAP. Instead, they are emu- The DAP unbind, abandon, modify RDN,
lated with the LDAP search operation. Read add and delete operations are virtually
is emulated by a base object search of the identical to their DAP counterparts.
entry to read, with a filter testing for the
existence of the objectClass attribute. Every
entry is required to have an object class and 4. Key Advantages
must match this filter. List is emulated by a
one level search of the entry to list, also with LDAP has four key advantages over DAP.
a filter testing for the existence of the object- First, it runs directly over TCP (or other reli-
Class attribute. If the ability to distinguish able transport, in theory), eliminating much
alias children from other children (a feature of the connection set-up and packet-han-
provided by X.500 list) is desired, the object- dling overhead of the OSI session and pre-
Class attribute can be retrieved and exam- sentation layers required by DAP. In
ined for a value of alias. addition, the near universal availability of
TCP/IP implementations means that LDAP
The LDAP modify operation also differs can run on most systems “out of the box.”
slightly from its DAP counterpart. In DAP,
four kinds of changes can be made: entire Second, LDAP simplifies the X.500 func-
attributes can be added or deleted; individ- tional model in two ways. It leaves out the
ual values can be added or deleted. These read and list operations, emulating them via
capabilities require a client to read an entry the search operation. It also leaves out some
before attempting a modify (e.g., when add- of the more esoteric and less-often-used ser-
ing a value, to discover whether an add vice controls and security features of full
attribute or add value is required). X.500 (e.g., the ability to sign operations).
This simplifies LDAP implementations.
In LDAP, we simplified the semantics of
modify by supporting three operations: add Third, though X.500 and LDAP both
values; delete values; and replace values. If a describe and encode protocol elements
request is made to add values to an attribute using ASN.1 and BER [12], LDAP uses
that does not exist in the entry, the attribute string encodings for distinguished names
is created automatically. If a request is made and data elements. X.500 uses a complex
to delete the last value of an attribute, the and highly-structured encoding even for
entire attribute is deleted. An attribute can simple data elements; LDAP data elements
also be deleted by specifying a delete values are string types. This encoding is a big win
operation without specifying any values. for distinguished names, which have con-
Finally, the replace values construct is used to siderable structure leading to encoding/
make an attribute contain the given values decoding complexity and size. LDAP rele-
after the modify. The LDAP server takes gates the knowledge of a value’s syntax to
care of translating the replace request into the application program rather than lower-
the necessary sequence of modify, add, and level protocol routines.
delete operations required by X.500.
Finally, LDAP frees clients from the burden Key to the success of our LDAP implemen-
of chasing referrals. The LDAP server is tation has been libldap, the LDAP client
responsible for chasing down any referrals library. The libldap library gives program-
returned by X.500, returning either results or mers a simple yet powerful C Language API
errors to the client. Clients assume a single for accessing the X.500 directory through
connection model in which X.500 appears as LDAP. The library is self-contained, includ-
a single logical directory. ing the necessary ASN.1/BER routines for
producing and reading LDAP protocol ele-
ments. It contains routines to begin and end
5. Implementation sessions with the directory, perform searches
and other operations, and parse and display
In setting out to implement LDAP we had the results obtained from the directory. Fig-
three goals in mind: ure 4 is a C code fragment showing a simple
use of libldap. It illustrates the synchronous
• provide a freely available reference interface provided by libldap. Asynchronous
implementation of the protocol; routines are also provided.
• enable the development of LDAP clients
#include <ldap.h>
on a wide variety of platforms; and LDAP *ld;
LDAPMessage *e, *r;
• solve the problem of providing access to char *a, *dn;
our campus X.500 directory. /* open a connection and authenticate */
if ((ld = ldap_open(“hostname”, LDAP_PORT))
In addition, we have found our implementa- == NULL)
fail();
tion has been incorporated into a number of if (ldap_simple_bind_s(ld, NULL, NULL) !=
vendor offerings, increasing the availability LDAP_SUCCESS)
fail();
of LDAP products. /* search for entries, return all attrs */
if (ldap_search_s(ld, “c=US”, LDAP_SCOPE_ONELEVEL,
“o=*michigan*”, NULL, 0, &r) != LDAP_SUCCESS)
Our LDAP implementation has three main fail();
components: a server, a client library, and /* step through each entry returned */
for (e = ldap_first_entry(ld, r); e != NULL;
various clients. Our LDAP server, ldapd, is e = ldap_next_entry(ld, e)) {
based on the popular ISO Development /* get and print the entry name */
dn = ldap_getdn(ld, e);
Environment (ISODE) package. We use the printf(“entry: %s\n”, dn);
ISODE OSI stack implementation and DAP free(dn);
/* step through each attribute */
client library to access X.500. The ldapd for (a = ldap_first_attribute(ld, e);
server supports connections to multiple a != NULL;
a = ldap_next_attribute(ld, e, a)) {
X.500 servers, providing efficient handling printf(“attr: %s\n”, a);
of referrals. /* get and print vals */
v = ldap_get_values(ld, e, a);
for (i = 0; v[i] != NULL; i++) {
The ldapd server can be run as a UNIX printf(“val: %s\n”, v[i]);
stand-alone daemon or from inetd, the UNIX }
ldap_value_free(v);
Internet protocol daemon. It accepts connec- }
tions from LDAP clients, forking off a copy }
Figure 4. Sample libldap code. This code fragment
of itself to handle each connection. It also searches for and retrieves entries from the
supports connectionless LDAP (CLDAP) directory. The entries are then stepped
through and each value of each attribute is
[10], a version of LDAP that runs over UDP printed. If the attribute names retrieved are
or other connectionless transport. CLDAP is known, ldap_get_values() can be called
with the names directly.
useful in applications where speed is para-
mount, the information desired is small, and In addition to the basic operations shown in
the connection setup overhead of LDAP is Figure 4, libldap contains routines to assist
too large. LDAP application developers in a variety of
ways. There are display template routines
which provide a standardized way of dis-
playing entries. The display format is gov- used for all query measurements, providing
erned by a configuration file that tells which a baseline for comparison.
attributes to display for entries of a particu-
lar object class and how to display them. By Table 1 shows the performance of a range of
using these routines, no code changes are typical DAP and LDAP queries. The tests
necessary for an application to change how were conducted on a dedicated machine
entries are displayed, add a new attribute to running the DAP and LDAP clients, the
the display, etc. LDAP server, and the DSA. As can be seen
in the table, the delay introduced by LDAP
Also provided are routines to assist in the is minimal. This delay could be eliminated
construction of search filters. Often, differ- altogether by a native DSA implementation,
ent filters need to be constructed based on eliminating the intermediate encoding,
user input. For example, in a simple look-up decoding, and protocol translation.
application if a user types in a number, one
might want to perform a search for entries Table 1. Comparison of DAP and LDAP query times.
with a phone number (home, work, fax, or Searches were performed using the same
pager) matching all or part of the number. If DSA, with a “hot” cache of entries. Times
an alphabetic string is input, a search by are in milliseconds.
name is more appropriate. If an exact match
Query DAP LDAP
search yields no results, a less restrictive
approximate search might be tried. The get Unauthenticated bind 30 68
filter routines automate the process of creat- Authenticated bind 34 56
ing these filters. The filters produced are Simple search (one entry) 32 41
specified in a configuration file via regular Simple search (50 entries) 293 353
expressions that are matched against user
input. Table 2 shows the size of the queries and
results given in Table 1. It shows that LDAP
Many LDAP client applications have been queries are substantially smaller than equiv-
developed by us and others on the Internet. alent DAP queries. The savings are due pri-
Some of the more interesting applications marily to the simplified DN and value
include maX.500, waX.500 and xax500, GUI encodings. Query sizes are also reduced by
clients for the Macintosh, MS Windows, and the absence of service controls in every
X Windows, respectively; go500gw, a gopher operation.
to X.500 gateway; web500gw, a World Wide
Web to X.500 gateway; and mail500 and Table 2. Comparison of DAP and LDAP query sizes.
fax500, RFC 822-based X.500-capable mail- LDAP queries are significantly smaller
ers. Work is ongoing on other applications than their DAP counterparts. Query sizes
as well. are in bytes.
tinguished names where the LDAP string Table 5. Comparison of DAP and LDAP implemen-
representation is a big win. tation complexity. The DE client, which can
be built using either DAP or LDAP, is used
Table 3. Comparison of DAP and LDAP decoding to compare implementation size. Semi-
times. LDAP protocol elements are easier colon count, which approximates the num-
to decode, especially for complex PDUs. ber of statements, and “if” statement count,
The complex PDU contained an attribute which approximates the number of code
with over 600 DNs. About half of the DAP paths are another measure of complexity.
decoding time was spent in a duplicate The comparison was between ISODE-8.0
check, to ensure that an attribute has only and our LDAP implementation.
one of each value.
Metric DAP LDAP
PDU Complexity DAP LDAP
Total size (DE) 1,484,568 334,552
Simple 550 110 Text 958,464 221,184
Medium 7,925 714 Data 385,024 73,728
Complex 38,393 2,702 BSS 141,080 39,640
Semicolon count 46,746 1,989
Table 4. Comparison of DAP and LDAP encoding If count 9369 568
times. LDAP protocol elements are
encoded more efficiently, especially for
complex PDUs.
7. Future Work
PDU Complexity DAP LDAP
LDAP has succeeded in making X.500 more
Simple 24 6 accessible and is largely responsible for a
Medium 1,084 324 substantial increase in X.500 client develop-
Complex 2656 989 ment. Despite this success, X.500 deploy-
ment on the Internet remains disappointing.
Finally, we compare implementation size One reason for this is the heavyweight
and code complexity). Such a comparison is nature of X.500 servers; to take advantage of
anecdotal at best, given the wide range of the proliferation of LDAP clients to access
programmer skills and goals used in pro- local data, a site must first bring up a full
ducing the implementations. However, X.500 service. To address this problem we
some conclusions favorable to LDAP can be are developing a stand-alone LDAP server
drawn from the overwhelming advantage it called slapd. Slapd exports the same LDAP
has in this area, as shown in Table 5. functionality described above but is back-
ended by its own local database, not by
The Directory Enquiries client was chosen X.500.
for the size comparison. It can be compiled
to use either DAP or LDAP for X.500 com- To prevent stand-alone LDAP servers from
munication. The code complexity of the being isolated from the rest of the X.500
ISODE DAP and our LDAP client libraries world, we have made a compatible exten-
were also compared. We used two complex- sion to LDAP that allows the return of refer-
ity measures. The first, a count of the num- rals to the client. This adds some complexity
ber of semi-colons, approximates the on the client side to follow the referrals, but
number of statements. The second, a count in return we gain simplicity in the server.
of the number of “if” statements, approxi-
mates the number of code paths. In comput- The 1993 version of the X.500 standard
ing both of these metrics, an effort was includes many features missing from 1988
made to include only those portions of code X.500, on which LDAP is based. Among the
required to access X.500. new features are access control, replication,
schema management, and various DAP
Author Information