Adobe ColdFusion 8

The LDAP information structure

There are several LDAP concepts that are the basis of the LDAP information structure:

  • Entry
  • Attribute
  • Distinguished name (DN)
  • Schema, including the object class and attribute type

Entry

The basic information object of LDAP is the entry. An entry is composed of one or more attributes. Entries are subject to content rules defined by the directory schema (see Schema).

Each node, not just the terminal nodes, of an LDAP directory is an entry. In the preceding images, each item is an entry. For example, in the first diagram, both USA and Ferrari are entries. The USA entry's attributes could include a Language attribute, and the Ferrari entry could include an entry for the chief executive officer.

Attribute

An LDAP directory entry consists of one or more attributes. Attributes have types and values. The type determines the information that the values can contain. The type also specifies how the value is processed. For example, the type determines whether an attribute can have multiple values. The mail attribute type, which contains an e-mail address, is multivalued so you can store multiple e-mail addresses for one person.

Some commonly used attribute types have short keyword type names. Often these correspond to longer type names, and the two names can be used interchangeably. The following table lists common attribute type keywords used in LDAP directories:

Keyword

Long name

Comment

c

CountryName

 

st

stateOrProvinceName

 

l

LocalityName

Typically, city, but can be any geographical unit

street

StreetAddress

 

o

OrganizationName

 

ou

OrganizationalUnitName

 

cn

CommonName

Typically, first and last name

sn

SurName

 

dc

domaincomponent

 

mail

mail

E-mail address

For more information, see Attribute type.

Distinguished name (DN)

An entry's distinguished name uniquely identifies it in the directory. A DN is made up of relative distinguished names (RDNs). An RDN identifies the entry among the children of its parent entry. For example, in the first image in About LDAP, the RDN for the Ferrari entry is "o=Ferrari".

An entry's DN consists of an entry's RDN followed by the DN of its parent. In other words, it consists of the RDNs for the entry and each of the entry's parent entries, up to the root of the directory tree. The RDNs are separated by commas and optional spaces. For example, in the first image, the DN for the Ferrari entry is "o=Ferrari, c=Italy".

As with file system pathnames and URLs, entering the correct LDAP name format is essential to successful search operations.

Note: The RDN is an attribute of a directory entry. The full DN is not. However, you can output the full DN by specifying "dn" in a query's attributes list. For more information, see cfldap in CFML Reference. ColdFusion always returns DNs with spaces after the commas.

A multivalued RDN is made up of more than one attribute-value pair. In multivalued RDNs, the attribute-value pairs are separated by plus signs (+). In the sample directories, individuals could have complex RDNs consisting of their common name and their e-mail address, for example, "cn=Robert Boyd + mail=rjboyd@adobe.com".

Schema

The concepts of schemas and object classes are central to a thorough understanding of LDAP. Although detailed descriptions of them are beyond the scope of this topic, the following sections provide enough information to use the cfldap tag effectively.

A directory schema is a set of rules that determines what can be stored in a directory. It defines, at a minimum, the following two basic directory characteristics:

  • The object classes to which entries can belong
  • The directory attribute types

Object class

Object classes enable LDAP to group related information. Frequently, an object class corresponds to a real object or concept, such as a country, person, room, or domain (in fact, these are all standard object type names). Each entry in an LDAP directory must belong to one or more object classes.

The following characteristics define an object class:

  • The class name
  • A unique object ID that identifies the class
  • The attribute types that entries of the class must contain
  • The attribute types that entries of the class can optionally contain
  • (Optional) A superior class from which the class is derived

If an entry belongs to a class that derives from another class, the entry's objectclass attribute lists the lowest-level class and all the superior classes from which the lowest-level class derives.

When you add, modify, or delete a directory entry, you must treat the entry's object class as a possibly multivalued attribute. For example, when you add a new entry, you specify the object class in the cfldap tag attributes attribute. To retrieve an entry's object class names, specify "objectclass" in the list of query attributes. To retrieve entries that provide a specific type of information, you can use the object class name in the cfldap tag filter attribute.

Attribute type

A schema's attribute type specification defines the following properties:

  • The attribute type name
  • A unique object ID that identifies the attribute type
  • (Optional) An indication of whether the type is single-valued or multivalued (the default is multivalued)
  • The attribute syntax and matching rules (such as case sensitivity)

The attribute type definition can also determine limits on the range or size of values that the type represents, or provide an application-specific usage indicator. For standard attributes, a registered numeric ID specifies the syntax and matching rule information. For more information on attribute syntaxes, see ETF RFC 2252 at http://www.ietf.org/rfc/rfc2252.txt.

Operational attributes, such as creatorsName or modifyTimeStamp, are managed by the directory service and cannot be changed by user applications.