Introduction to LDAP
This blog is the first part of the series Securing your API Connect Cloud with LDAP. The series aims to provide a brief introduction to LDAP, how its used for user authentication and how you can secure your API Connect cloud with LDAP to meet your enterprise security needs. You can find the complete list of entries for this series from the main page here.
This post serves to provide a brief introduction to LDAP and how it can be used for the purposes of user authentication.
What is LDAP ?
LDAP stands for Lightweight Directory Access Protocol. It is an industry standard application protocol (RFC here) that serves to define an interface or language with which client applications can talk to a directory service (such as OpenLDAP, Active Directory etc.) to query or modify the information in the directory.
An LDAP directory (or server) typically stores information about users, user credentials, groups, user memberships and so on. Since they act as a central repository for user information, they are commonly used for user authentication and authorization.
You can think of an LDAP directory as a data store that supports client applications to communicate with it using the LDAP protocol. That said, it is common to hear people using the term LDAP to refer to both the protocol and the directory.
LDAP directory structure:
An LDAP directory has a hierarchical tree-like structure and consists of one or more entries. The entries generally represent real world entities such as organizations, users and so on. For an enterprise, for example, the top or root of the tree could represent the organization itself. This can be followed by child entries that can be used to represent organizational or business units, say, by location or function. These can further support more entries representing individual resources like users, groups etc. like shown in the figure below.

Terminologies and example:
To show how this looks in an actual directory, I have used Apache Directory Studio to create an LDAP server and populated it with some sample Hogwarts school data.
At the top-level you can see a partition called dc=hogwarts, dc=com that is used to represent the entire school. This has a child entry, representing an organizational unit ou=users, which in turn has child entries such as cn=triddle, representing the students.

In the above figure, we can ignore the top-level entries: ou=config, ou=schema, ou=system, since they related to the schema/config of the directory itself and come by default with the setup.
Entry: Every object in the directory is called an LDAP entry. Eg: ou=users, cn=triddle.
Attribute: Each entry typically has one or more attributes that are used to describe the object (such as first name, last name, email, business unit etc.). These are modeled as name/value pairs.
The LDAP specification defines a standard set of attributes (eg: cn, sn, mail, objectClass etc.) that are common across all servers and referenced throughout this series. You can refer online if you need more information about any of them.
For our example, let’s take user Tom Riddle from the figure above. Following are his attributes:
dn: cn=triddle,ou=users,dc=hogwarts,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: triddle
sn: Riddle
displayName: Tom Riddle
givenName: Tom
mail: Tom.Riddle@hogwarts.edu
uid: 20007
userPassword: SHA hashed passwordAs you can see, it contains some basic profile information along with the user’s password.
Distinguished Name or DN:
To identify an entry in the LDAP tree, we use what is called the Distinguished Name or dn. The dn is globally unique in a directory and its value is simply the position of an object in the tree. It can be obtained by appending the name of the entry with that of its parent node and going all the way up to the root. So in other terms, it is the full path of the object in the tree.
From Fig.2. for user Tom Riddle listed as entry cn=triddle, the DN would be:
"cn=triddle" + "ou=users" + "dc=hogwarts,dc=com"DN: cn=triddle,ou=users,dc=hogwarts,dc=com
User authentication using LDAP:
To successfully authenticate a user against an LDAP server, you are required to do, what in LDAP terms is called a bind. This is simply the process of authentication and expects a username and password. The username in this case will be the DN of the LDAP entry.
So, assuming the password of user Tom Riddle is secret, you will have to use the following as credentials for a successful authentication.
username: cn=triddle,ou=users,dc=hogwarts,dc=com
password: secretIf you want to test it out:
- You can use a client like Apache Directory Studio, and open Properties → Authentication → Simple Authentication on the server connection and pass the credentials.
- Or use a command line tool like ldapsearch using the following command:
ldapsearch -H <ldap-server-url> -x -D "<user-dn>" -w "<user-password>" -b "<user-dn>"Eg:
ldapsearch -H ldap://localhost:10389 -x -D "cn=triddle,ou=users,dc=hogwarts,dc=com" -w "secret" -b "cn=triddle,ou=users,dc=hogwarts,dc=com"
