You are here: Resources > FIDIS Deliverables > Identity of Identity > D2.3: Models > 

D2.3: Models

Directories and Business Cards (LDAP, vCards, Active Directory, Liberty Alliance schemas, PKCS, etc.)  D2.3 Models


LDAP schema


The Lightweight Directory Access Protocol (LDAP) is a protocol for accessing directory services, which can be seen as specialised databases, e.g. over the internet. It replaces its predecessor, the Directory Access Protocol (DAP), which has not become widely accepted due to its complexity. Version v3 of the LDAP is specified in RFC3377. A main feature of the LDAP is its focus on security aspects, it provides AAA (authentication, authorisation and accounting) functionality to secure the information within directory services by supporting encryption between the client and the directory server, and by providing access control lists (ACLs) defining who may access specific directory entries or parts thereof. 

An LDAP directory contains entries in a hierarchical structure. A directory entry may refer to any kind of entity, object, or resource. Each entry is identified by a distinguished name (dn), and consists of one or more attributes, i.e. type-value pairs. A directory schema specifies a set of rules defining what may be stored in a directory, the valid attribute types etc. 

Table 1 shows an example of a LDAP directory entry representing a person. The attribute types used in the example are commonly used and therefore given as short keyword names. 

The Distinguished Name of the entry, containing in this case the person’s Common Name (cn), Organisation (o) and Country (c)  

cn=Richard Cissee,

Email address attribute. 

LocalityName attribute, typically the city. 


Table : An Exemplary LDAP Directory Entry



Presentation: application to higher education

The EDUCAUSE/Internet2 eduPerson task force has the mission of defining an LDAP object class that includes widely-used person attributes in higher education. 

In particular EDUCAUSE has defined an LDAP schema for representing the person in an educational environment. 










  1. Person 

    1. sn TDIRNAME_NAME (mandatory) 

    2. cn TDIRNAME_NAME (mandatory) 

    3. description (string) 

    4. seeAlso (string) 

    5. telephoneNumber TDIRTELE_TELEPHONE 

    6. userPassword (string) 

    7. organizationalPerson 

      1. title PRSN_WORKING_TITLE  

      2. ou TDIRORGN_ORGAN 

      3. preferredDeliveryMethod (string) 

      4. st ADDR_STATE_CD 

      5. telexNumber (string) 

      6. l unknown 

      7. telephoneNumber TDIRTELE_TELEPHONE  

      8. physicalDeliveryOfficeName (string) 

      9. postalCode ADDR_ZIP_CD 

      10. internationalISDNNumber (string) 

      11. x121Address (string) 

      12. registeredAddress TDIRADDR_ADDRESS fields from appropriate type record. 

      13. street TDIRADDR_ADDRESS  

      14. postalAddress TDIRADDR_ADDRESS 

      15. facsimileTelephoneNumber TDIRTELE_TELEPHONE  

      16. teletexTerminalIdentifier (string) 

      17. postOfficeBox ADDR_…  

      18. destinationIndicator (string) 

      19. inetOrgPerson 

        1. userCertificate DGCR_DIGITAL_CR from appropriate type  

        2. uid TDIRIDEN_IDENTFIER 

        3. homePostalAddress TDIRADDR_ADDRESS 

        4. employeeType unknown 

        5. preferredLanguage PRSN_PREF_LANG 


        7. homePhone TDIRTELE_TELEPHONE 

        8. roomNumber (string) 

        9. x500UniqueIdentifier TDIRDGCR_DIGITALCR 

        10. employeeNumber PRSN_UFID 

        11. photo (string) 

        12. businessCategory (string) 

        13. pager TDIRTELE_TELEPHONE 

        14. o ORGN_DISPLAY_NM 

        15. jpegPhoto (string) 

        16. secretary unknown 

        17. audio (string) 

        18. userPKCS12 DGCR_DIGITAL_CR from appropriate type  

        19. displayName ORGN_DISPLAY_NM/PRSN_DISPLAY_NM  

        20. mobile TDIRTELE_TELEPHONE 

        21. labeledURI unknown 

        22. carLicense (string) 

        23. givenName TDIRNAME_NAME 

        24. manager (string) 

        25. userSMIMECertificate DGCR_DIGITAL_CR from appropriate type 

        26. initials TDIRNAME_NAME inetOrgPerson  

        27. departmentNumber ORGN_UFID 

        28. eduPerson 

          1. eduPersonOrgUnitDN relationships  

          2. eduPersonOrgDN relationships 

          3. eduPersonPrincipalName CMAC_USERID of GatorLink type, + @UFL.EDU 

          4. eduPersonNickname TDIRNAME_NAME 

          5. eduPersonAffiliation relationships 

          6. eduPersonPrimaryAffiliation PRSN_PRI_AFF_TYPE 

    8. residentialPerson 

      1. l (string) (mandatory) 

      2. preferredDeliveryMethod NONE 

      3. st ADDR_STATE_CD 

      4. businessCategory (string) 

      5. telexNumber (string) 

      6. telephoneNumber TDIRTELE_TELEPHONE 

      7. physicalDeliveryOfficeName (string) 

      8. postalCode ADDR_ZIP_CD 

      9. internationalISDNNumber (string) 

      10. x121Address (string) 

      11. registeredAddress TDIRADDR_ADDRESS fields from appropriate type record. 

      12. street TDIRADDR_ADDRESS  

      13. postalAddress TDIRADDR_ADDRESS 

      14. facsimileTelephoneNumber TDIRTELE_TELEPHONE 

      15. teletexTerminalIdentifier (string) 

      16. postOfficeBox ADDR_… residentialPerson  

      17. destinationIndicator (string) 



Example 1: An simple LDAP file with two entries 


version: 1 

dn: cn=Barbara Jensen, ou=Product Development, dc=airius, dc=com 

objectclass: top 

objectclass: person 

objectclass: organizationalPerson 

cn: Barbara Jensen 

cn: Barbara J Jensen 

cn: Babs Jensen 

sn: Jensen 

uid: bjensen 

telephonenumber: +1 408 555 1212 

description: A big sailing fan. 


dn: cn=Bjorn Jensen, ou=Accounting, dc=airius, dc=com 

objectclass: top 

objectclass: person 

objectclass: organizationalPerson 

cn: Bjorn Jensen 

sn: Jensen 

telephonenumber: +1 408 555 1212 



RFC 2849 - The LDAP Data Interchange Format (LDIF) - Technical Specification, June 2000



Directories and Business Cards (LDAP, vCards, Active Directory, Liberty Alliance schemas, PKCS, etc.)  fidis-wp2-del2.3.models_04.sxw  vCards
32 / 53