The LDAP Standard Specification
Summary: In June 2006, 10 new LDAP RFCs were published (RFCs 4510-4519) to provide a new LDAPv3 (Lightweight Directory Access Protocol version 3) specification and to replace RFC 2251 and a number of related specifications. The primary goal of this document is to guide those with some basic knowledge of LDAP quickly through all of these documents. This document also seeks to address a number of secondary goals:
Isode's M-Vault product supports the RFC 4510 series LDAP specifications, and the underlying standards on which they rely.
Share this whitepaper
The Core LDAP Standards
|4510 (LDAPv3)||Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map||
This document lists the ten RFCs that comprise LDAP and LDAPv3 (either term may be used).
It also defines the formal relationship to X.500. LDAP requires conformance to X.500 model and information framework, but it is not required to support the X.500 protocols.
|4511 (LDAP)||Lightweight Directory Access Protocol (LDAP): The Protocol||This defines the core LDAP protocol that provides a subset of the X.500 Directory Abstract Service.|
|4512||Lightweight Directory Access Protocol (LDAP): Directory Information Models||
This document summarizes the X.500 information model, and sets out how it is used by LDAP.
It also sets out how to specify LDAP schema, and core schema needed by LDAP servers.
|4513 (LDAP)||Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms||Specifies LDAP authentication, using SASL (a general framework for multiple authentication methods), and data confidentiality using TLS and the STARTTLS operation.|
|4514 (LDAP3-UTF8)||Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names||
Specifies the widely used format for LDAP DNs (Distinguished Names) of the style:
|4515 (STR-LDAP)||Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters||
Specifies the text filters used in LDAP searches, which are of the form:
|4516 (LDAP-URL)||Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator||
A mechanism for LDAP servers and clients to reference LDAP servers and objects in the style:
|4517 (LDAP3-ATD)||Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules||LDAP attributes may represent a wide range of information, but are encoded as strings. This document specifies how different information types are represented as strings, how this relates to the X.500 definitions and in some cases how the directory matches data.|
|4518||Lightweight Directory Access Protocol (LDAP): Internationalized String Preparation||This defines how LDAP servers should match strings. This is a new specification, as the older specification was imprecise and led to interoperability problems.|
|4519||Lightweight Directory Access Protocol (LDAP): Schema for User Applications||This defines core LDAP schema (object classes and attribute types) such as ‘organization’ and ‘person’. These are mostly equivalent to X.500 schema, with a few extensions such as Domain Component (DC).|
The following RFCs are standards track RFCs which LDAP relies on:
|3454 (STRINGPREP), Proposed Std||Preparation of Internationalized Strings||
This is a general purpose specification of handling strings to support matching, on which RFC 4518 is based.
|3629 (UTF-8), Std||UTF-8, a transformation format of ISO 10646||A representation of the ISO 10646 and Unicode character sets that is compatible with the US ASCII encoding.|
|3968 (URI), Std||Uniform Resource Identifier (URI): Generic Syntax||
The URI format on which RFC 4516 is based.
|4013, Proposed Std||SASLprep: Stringprep Profile for User Names and Passwords||This defines how STRINGPREP is used by SASL.|
|4234 (ABNF), Proposed Std||Augmented BNF for Syntax Specifications: ABNF||
This specifies the notation used to describe structured strings, used for some parts of LDAP.
|4346 (TLS), Std||The TLS Protocol Version1.1||
This defines Transport Layer Security, which is optionally used for data confidentiality with LDAP
|4422 (SASL), Proposed Std||Simple Authentication and Security Layer (SASL)||
SASL provides a general purpose authentication framework, which is used by LDAP.
The following table lists a set of standards on which LDAP relies. Isode supports these standards as required by LDAP, and also in their own right as part of Isode’s X.500 full implementation:
|X.500||International Telecommunication Union - Telecommunication Standardization Sector, "The Directory -- Overview of concepts, models and services", X.500(1993) (also ISO/IEC 9594-1:1994).||
X.500 defines a directory specification on which LDAP is based.
|X.501||International Telecommunication Union - Telecommunication Standardization Sector, "The Directory -- Models", X.501(1993) (also ISO/IEC 9594- 2:1994).||X.501 defines the information models used in X.500, some of which are used by LDAP.|
|X.511||International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Abstract Service Definition", X.511(1993) (also ISO/IEC 9594-3:1993).||
X.511 defines the external services provided by an X.500 directory. LDAP provides a subset of these services.
|ASN.1||ITU-T Recommendation X.680 (07/2002) | ISO/IEC 8824- 1:2002 "Information Technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation".||ASN.1 is the abstract notation used by both X.500 and LDAP.|
|BER||ITU-T Rec. X.690 (07/2002) | ISO/IEC 8825-1:2002, "Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", 2002.||
BER is the format used by LDAP to represent ASN.1 data.
|Unicode||The Unicode Consortium, "The Unicode Standard, Version 3.2.0" is defined by "The Unicode Standard, Version 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the "Unicode Standard Annex#27: Unicode 3.1" (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard Annex #28: Unicode 3.2 (http://www.unicode.org/reports/tr28/).||
A comprehensive definition of characters. Replaces ISO 10646, which was previously referenced, that is a subset of Unicode.
Older and Obsolete Specifications
The new LDAP specifications cause a number of older and widely referenced RFCs to become obsolete.
The following RFCs are now obsoleted by the 4510 LDAP specifications: RFC 2251; RFC 2252; RFC 2253; RFC 2254; RFC 2255; RFC 2256; RF C2829; RFC 2830; RFC 3377; RFC 3674; RFC 3771.
LDAP was originally published as LDAPv2. LDAPv1 was never officially published. In March 2003, LDAPv2 was officially moved to historical status. The rationale for this status change was set out in RFC 3494. RFC 3494 declared the older LDAP documents were all obsolete. These are: RFC 1484; RFC 1485; RFC 1487; RFC 1777; RFC 1778; RFC 1779; RFC 1781; RFC 2559.