The LDAP directory service model is based on entries. An entry is a collection of attributes that has a name, called a distinguished name (DN). The DN is used to refer to the entry unambiguously. Each of the entry’s attributes has a type and one or more values. The types are typically mnemonic strings, like cn for common name, or mail for email address. The values depend on what type of attribute it is. For example, a mail attribute might contain an email address with an attribute value of thj@vnet.ibm.com. A jpegPhoto attribute would contain a photograph in binary JPEG format.

In LDAP, directory entries are arranged in a hierarchical tree-like structure that sometimes reflects political, geographic, or organizational boundaries. Entries representing countries appear at the top of the tree. Below them are entries representing states or national organizations. Below them might be entries representing people, organizational units, printers, documents, or just about anything else you can think of. Figure 1 shows an example LDAP directory tree, which should help make things clear.

Figure 1. Directory hierarchy example

In addition, LDAP allows you to control which attributes are required and allowed in an entry through the use of a special attribute called object class. The values of the objectClass attribute determine the attributes that can be specified in the entry.

An entry is referenced by its distinguished name, which is constructed by taking the name of the entry itself (called the relative distinguished name, or RDN®) and concatenating the names of its ancestor entries. For example, the entry for Tim Jones in the example above has an RDN of cn=Tim Jones and a DN of cn=Tim Jones, o=IBM, c=US. The full DN format is described in RFC 2253: Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names.

The z/OS® LDAP server supports different naming formats. While naming based on country, organization, and organizational unit is one method, another method is to name entries based on an organization’s registered DNS domain name. Names of this form look like: cn=Tim Smith,dc=vnet,dc=ibm,dc=com. These naming formats can be mixed as well, for example: cn=Tim Brown,ou=Sales,dc=ibm,dc=com.

LDAP defines operations for interrogating and updating the directory. Operations are provided for adding/deleting an entry to/from the directory, changing an existing entry, and changing the name of an entry. Most of the time, though, LDAP is used to search for information in the directory. The LDAP search operation allows some portion of the directory to be searched for entries that match some criteria specified by a search filter. Information can be requested from each entry that matches the criteria. The LDAP compare operation allows a value to be tested in an entry without returning that value to the client.

An example of search is, you might want to search the entire directory subtree below IBM® for people with the name Tim Jones, retrieving the email address of each entry found. LDAP lets you do this easily. Or you might want to search the entries directly below the c=US entry for organizations with the string Acme in their name, and that have a FAX number. LDAP lets you do this too. The section How does LDAP work? describes in more detail what you can do with LDAP and how it might be useful to you.

LDAP client requests can be performed using an anonymous identity or the LDAP bind operation can be used to supply an authentication identity. The LDAP server can use the identity to perform authorization checking when accessing entries in the directory. An Access Control List (ACL) provides a means to protect information stored in an LDAP directory. An ACL is used to restrict access to different portions of the directory, to specific directory entries, or to information within an entry. Access control can be specified for individual users or for groups. This authentication process can be used by distributed applications which must implement some form of authentication.