Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D2.3: Models
Presentation
The Lightweight Directory Access Protocol (LDAP) is a protocol for accessing directory services, which can be seen as specialised databases, e.g. over the internet. It replaces its predecessor, the Directory Access Protocol (DAP), which has not become widely accepted due to its complexity. Version v3 of the LDAP is specified in RFC3377. A main feature of the LDAP is its focus on security aspects, it provides AAA (authentication, authorisation and accounting) functionality to secure the information within directory services by supporting encryption between the client and the directory server, and by providing access control lists (ACLs) defining who may access specific directory entries or parts thereof.
An LDAP directory contains entries in a hierarchical structure. A directory entry may refer to any kind of entity, object, or resource. Each entry is identified by a distinguished name (dn), and consists of one or more attributes, i.e. type-value pairs. A directory schema specifies a set of rules defining what may be stored in a directory, the valid attribute types etc.
Table 1 shows an example of a LDAP directory entry representing a person. The attribute types used in the example are commonly used and therefore given as short keyword names.
The Distinguished Name of the entry, containing in this case the person’s Common Name (cn), Organisation (o) and Country (c) | cn=Richard Cissee, |
Email address attribute. | mail=richard.cissee@dai-labor.de |
LocalityName attribute, typically the city. | l=Berlin |
Table : An Exemplary LDAP Directory Entry
Presentation: application to higher education
The EDUCAUSE/Internet2 eduPerson task force has the mission of defining an LDAP object class that includes widely-used person attributes in higher education.
In particular EDUCAUSE has defined an LDAP schema for representing the person in an educational environment.
top
Person
sn TDIRNAME_NAME (mandatory)
cn TDIRNAME_NAME (mandatory)
description (string)
seeAlso (string)
telephoneNumber TDIRTELE_TELEPHONE
userPassword (string)
organizationalPerson
title PRSN_WORKING_TITLE
ou TDIRORGN_ORGAN
preferredDeliveryMethod (string)
st ADDR_STATE_CD
telexNumber (string)
l unknown
telephoneNumber TDIRTELE_TELEPHONE
physicalDeliveryOfficeName (string)
postalCode ADDR_ZIP_CD
internationalISDNNumber (string)
x121Address (string)
registeredAddress TDIRADDR_ADDRESS fields from appropriate type record.
street TDIRADDR_ADDRESS
postalAddress TDIRADDR_ADDRESS
facsimileTelephoneNumber TDIRTELE_TELEPHONE
teletexTerminalIdentifier (string)
postOfficeBox ADDR_…
destinationIndicator (string)
inetOrgPerson
userCertificate DGCR_DIGITAL_CR from appropriate type
uid TDIRIDEN_IDENTFIER
homePostalAddress TDIRADDR_ADDRESS
employeeType unknown
preferredLanguage PRSN_PREF_LANG
mail PRSN_UF_EMAIL_AD/ORGN_UF_EMAIL_AD
homePhone TDIRTELE_TELEPHONE
roomNumber (string)
x500UniqueIdentifier TDIRDGCR_DIGITALCR
employeeNumber PRSN_UFID
photo (string)
businessCategory (string)
pager TDIRTELE_TELEPHONE
o ORGN_DISPLAY_NM
jpegPhoto (string)
secretary unknown
audio (string)
userPKCS12 DGCR_DIGITAL_CR from appropriate type
displayName ORGN_DISPLAY_NM/PRSN_DISPLAY_NM
mobile TDIRTELE_TELEPHONE
labeledURI unknown
carLicense (string)
givenName TDIRNAME_NAME
manager (string)
userSMIMECertificate DGCR_DIGITAL_CR from appropriate type
initials TDIRNAME_NAME inetOrgPerson
departmentNumber ORGN_UFID
eduPerson
eduPersonOrgUnitDN relationships
eduPersonOrgDN relationships
eduPersonPrincipalName CMAC_USERID of GatorLink type, + @UFL.EDU
eduPersonNickname TDIRNAME_NAME
eduPersonAffiliation relationships
eduPersonPrimaryAffiliation PRSN_PRI_AFF_TYPE
residentialPerson
l (string) (mandatory)
preferredDeliveryMethod NONE
st ADDR_STATE_CD
businessCategory (string)
telexNumber (string)
telephoneNumber TDIRTELE_TELEPHONE
physicalDeliveryOfficeName (string)
postalCode ADDR_ZIP_CD
internationalISDNNumber (string)
x121Address (string)
registeredAddress TDIRADDR_ADDRESS fields from appropriate type record.
street TDIRADDR_ADDRESS
postalAddress TDIRADDR_ADDRESS
facsimileTelephoneNumber TDIRTELE_TELEPHONE
teletexTerminalIdentifier (string)
postOfficeBox ADDR_… residentialPerson
destinationIndicator (string)
Example 1: An simple LDAP file with two entries
version: 1
dn: cn=Barbara Jensen, ou=Product Development, dc=airius, dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
cn: Barbara Jensen
cn: Barbara J Jensen
cn: Babs Jensen
sn: Jensen
uid: bjensen
telephonenumber: +1 408 555 1212
description: A big sailing fan.
dn: cn=Bjorn Jensen, ou=Accounting, dc=airius, dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
cn: Bjorn Jensen
sn: Jensen
telephonenumber: +1 408 555 1212
References
RFC 2849 - The LDAP Data Interchange Format (LDIF) - Technical Specification, June 2000
http://www.faqs.org/rfcs/rfc2849.html
32 / 53 |