There are several LDAP concepts that are the basis of the LDAP information structure:
The basic information object of LDAP is the entry. An entry is composed of one or more attributes. Entries are subject to content rules defined by the directory schema (see Schema).
Each node, not just the terminal nodes, of an LDAP directory is an entry. In the preceding images, each item is an entry. For example, in the first diagram, both USA and Ferrari are entries. The USA entry's attributes could include a Language attribute, and the Ferrari entry could include an entry for the chief executive officer.
An LDAP directory entry consists of one or more attributes. Attributes have types and values. The type determines the information that the values can contain. The type also specifies how the value is processed. For example, the type determines whether an attribute can have multiple values. The mail attribute type, which contains an e-mail address, is multivalued so you can store multiple e-mail addresses for one person.
Some commonly used attribute types have short keyword type names. Often these correspond to longer type names, and the two names can be used interchangeably. The following table lists common attribute type keywords used in LDAP directories:
Keyword |
Long name |
Comment |
---|---|---|
c |
CountryName |
|
st |
stateOrProvinceName |
|
l |
LocalityName |
Typically, city, but can be any geographical unit |
street |
StreetAddress |
|
o |
OrganizationName |
|
ou |
OrganizationalUnitName |
|
cn |
CommonName |
Typically, first and last name |
sn |
SurName |
|
dc |
domaincomponent |
|
|
|
E-mail address |
For more information, see Attribute type.
An entry's distinguished name uniquely identifies it in the directory. A DN is made up of relative distinguished names (RDNs). An RDN identifies the entry among the children of its parent entry. For example, in the first image in About LDAP, the RDN for the Ferrari entry is "o=Ferrari".
An entry's DN consists of an entry's RDN followed by the DN of its parent. In other words, it consists of the RDNs for the entry and each of the entry's parent entries, up to the root of the directory tree. The RDNs are separated by commas and optional spaces. For example, in the first image, the DN for the Ferrari entry is "o=Ferrari, c=Italy".
As with file system pathnames and URLs, entering the correct LDAP name format is essential to successful search operations.
A multivalued RDN is made up of more than one attribute-value pair. In multivalued RDNs, the attribute-value pairs are separated by plus signs (+). In the sample directories, individuals could have complex RDNs consisting of their common name and their e-mail address, for example, "cn=Robert Boyd + mail=rjboyd@adobe.com".
The concepts of schemas and object classes are central to a thorough understanding of LDAP. Although detailed descriptions of them are beyond the scope of this topic, the following sections provide enough information to use the cfldap tag effectively.
A directory schema is a set of rules that determines what can be stored in a directory. It defines, at a minimum, the following two basic directory characteristics:
Object classes enable LDAP to group related information. Frequently, an object class corresponds to a real object or concept, such as a country, person, room, or domain (in fact, these are all standard object type names). Each entry in an LDAP directory must belong to one or more object classes.
The following characteristics define an object class:
If an entry belongs to a class that derives from another class, the entry's objectclass attribute lists the lowest-level class and all the superior classes from which the lowest-level class derives.
When you add, modify, or delete a directory entry, you must treat the entry's object class as a possibly multivalued attribute. For example, when you add a new entry, you specify the object class in the cfldap tag attributes attribute. To retrieve an entry's object class names, specify "objectclass" in the list of query attributes. To retrieve entries that provide a specific type of information, you can use the object class name in the cfldap tag filter attribute.
A schema's attribute type specification defines the following properties:
The attribute type definition can also determine limits on the range or size of values that the type represents, or provide an application-specific usage indicator. For standard attributes, a registered numeric ID specifies the syntax and matching rule information. For more information on attribute syntaxes, see ETF RFC 2252 at http://www.ietf.org/rfc/rfc2252.txt.
Operational attributes, such as creatorsName or modifyTimeStamp, are managed by the directory service and cannot be changed by user applications.