Chapter 9. LDAP Functional Model

This section describes both the 'wire' protocol that LDAP clients and servers use when communicating and the LDAP URL format which can be used from modern browsers and is used in conjunction with certain objectClasses and features (most notably Dynamic Groups).

If you need to know this stuff carry on, but the really smart thing to do is use the excellent Open Source wireshark (ex-ethereal) to do all the disassembly for you - if wireshark does not support a protocol we have not yet come across it. Wonderful software.

Finally LDAP uses the ITU's BER (Basic Encoding Rules) to save three bytes on each transfer. You will need (and pay handsomely for it) X.690 with defines BER.

Alternatively you can download Prof. John Larmouth's ASN.1 Complete (its free but you must register to get it) or you can purchase a copy from Morgan Kaufmann Publishers (ISBN: 0-12-233435-3). In no way second best is Olivier Dubuisson's ASN.1 - Communication between heterogeneous systems (free but you have to register) another world renowned ASN.1 expert. Again you can purchase his book from Morgan Kaufmann Publishers (ISBN: 0-12-6333361-0). This site has excellent ASN.1 and BER resources.

9.1 Functional Model Overview

One day real soon now ™

9.2 Generic Format

One day real soon now ™

9.3 Primitives (Operations)

One day real soon now ™

9.4 LDAP URL

The LDAP URL is a useful feature - but a bit of a con. The LDAP URL (RFC 4510 and RFC 4516) defines a method by which you can enter something that looks like a URL into some version 5 browsers (MSIE 5.5+ and any Gecko browser supports ldap, Opera 7.x beta and Konqueror do not) and it will perform a LDAP read-only query on the host using the parameters defined in the URL. Both MSIE and Gecko allow you to add any found entries to an address book (and look to have a common code base).

The con bit (we're being very unfair here) is that the browser translates this request into a standard LDAP search/query primitive. The URL'ish notation is just a (useful) browser'ish interface. However, LDAP URLs are also used somewhat more seriously with Dynamic Groups in conjunction with the groupOfURLs objectclass and specifically the memberURL attribute. Dynamic Groups is a non-standard LDAP feature (there is no RFC) which is widely implemented. Very weird.

LDAP URL Format

The formal syntax is:

scheme "://" [host:port] ["/"[dn ["?" [attributes] ["?" [scope] ["?" [filter]
                ["?" extensions]]]]]]

Where:

Param	Description
scheme	may be either ldap - basic access on (normally) port 389 or ldaps - SSL access using (normally) port 636.
host:port	optional - if omitted browser will use a default. Otherwise specifies the host URL and optionally the host port number, for instance, ldapserver.example.com or ldapserver.example.com:8777 (uses a non standard port of 8777).
dn	optional - if omitted browser will use a default. Otherwise specifies the DN to use for the search, for instance, ou=people,dc=example,dc=com.
attributes	optional - if omitted all available attributes are returned for the entry. Otherwise specifies the required attributes to be returned in a comma separated list, for example, cn,mail,telephonenumber.
scope	optional - if omitted assumes base. Otherwise specifies the scope of the search and takes one of the following values: base search only at the level specified by the dn parameter. one search at the level specified by the dn parameter and one level below in he hirearchy. sub search at the level specified by the dn parameter and all other levels to the foot of the tree (DIT).
filter	according to the documentation this field is optional - if omitted (objectclass=) is assumed. This default appears not to be supported on either MSIE or Gecko - you must enter something, for example, (objectclass=). Otherwise specifies the text form of the search filter.
extensions	The current LDAP RFC (RFC 4516) does not define any extensions

Example LDAP URLs

Connect using anonymous access to host.example.com using port 389 with a DN of ou=people,dc=example.com, return all available attributes for entries, go down one level on the search and return all found entries.

ldap://host.example.com/ou=people,dc=example,dc=com??one?(objectclass=*)

Connect using anonymous access to host.example.com using port 9000 with a DN of ou=people,dc=example.com, return all available attributes for entries, go down one level on the search and return all entries

ldap://host.example.com:9000/ou=people,dc=example,dc=com??one?(objectclass=*)

Connect using anonymous access to a host of the browsers choosing (we can't figure how to configure this one) using port 389 with a DN of ou=people,dc=example.com, return all attributes available for entries, go down one level on the search and return all entries with s or S anywhere in the common name:

ldap:///ou=people,dc=example,dc=com??one?(cn=*s*)

Connect using anonymous access to host.exmple.com using port 389 with a DN of ou=people,dc=example.com, return mail attributes only, go down one level on the search and return all entries which have one or more mail attributes:

ldap://host.example.com/ou=people,dc=example,dc=com?mail?one?(mail=*)

Connect using anonymous access to host.example.com using port 389 with a DN of ou=people,dc=example.com, return all attributes available for entries, seach whole subtree below base DN and return all entries with sn starting with a or A.

ldap://host.example.com/ou=people,dc=example,dc=com???(sn=a*)

Connect using anonymous access to the locally hosted ldap (localhost) using port 389 with a DN of ou=people,dc=example.com, return all attributes available for entries, seach whole subtree below base DN and return all entries with sn starting with a or A.

ldap:///ou=people,dc=example,dc=com???(sn=a*)

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.