I need to learn to use LDAP for an upcoming project, so I will start to keep some notes here. A lot of this post will be copy and pasted and Wikipedia and other sources.
A client starts LDAP session by connection to an LDAP server, called a Directory System Agent (DSA).
The default port is TCP port 389. The client sends an operation request to server and server responds. Client can start sending more requests before responses, however the server may send responses in any oreder.
- StartTLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection
- Bind — authenticate and specify LDAP protocol version
- Search — search for and/or retrieve directory entries
- Compare — test if a named entry contains a given attribute value
- Add a new entry
- Delete an entry
- Modify an entry
- Modify Distinguished Name (DN) — move or rename an entry
- Abandon — abort a previous request
- Extended Operation — generic operation used to define other operations
- Unbind — close the connection (not the inverse of Bind)
- A entry in the Directory can contain a set of attributes
- An attribute has a name and possibly multiple values — the attributes are defined in a schema
- Each entry has a unique identifier: its Distinguished Name (DN). This consists of its Relative Distinguished Name (RDN), constructed from some attribute(s) in the entry, followed by the parent entry’s DN. Think of the DN as the full file path and the RDN as its relative filename in its parent folder (e.g. if /foo/bar/myfile.txt were the DN, then myfile.txt would be the RDN).
The option I am most interested in currently is
The Bind operation establishes the authentication state for a connection.
Simple Bind can send the user’s DN and password in plaintext, so the connection should be protected usingTransport Layer Security (TLS). The server typically checks the password against the userPassword attribute in the named entry.
Anonymous Bind (with empty DN and password) resets the connection to anonymous state.
SASL (Simple Authentication and Security Layer) Bind provides authentication services through a wide range of mechanisms, e.g. Kerberos or the client certificate sent with TLS.
Bind also sets the LDAP protocol version. The version is an integer and at present must be either 2 (two) or 3 (three), although the standard supports integers between 1 and 127 (inclusive) in the protocol. If the client requests a version that the server does not support, the server must set the result code in the bind response to the code for a protocol error. Normally clients should use LDAPv3, which is the default in the protocol but not always in LDAP libraries.
Bind had to be the first operation in a session in LDAPv2, but is not required in LDAPv3 (the current LDAP version).
Other links for my reading on this:
PHP LDAP FUNCTIONS