LDAP is a protocol for querying user directories. For example, Active Directory or Novell eDirectory both support LDAP. It is also, to a degree a syntax for doing such queries, like how SQL is a querying language for querying databases.

LDAP 是一种用于查询用户目录的协议。例如，Active Directory 或 Novell eDirectory 都支持 LDAP。在某种程度上，它也是进行此类查询的语法，例如 SQL 是一种用于查询数据库的查询语言。

An LDAP command could look like

LDAP 命令看起来像

(givenName=Mike)

（给定的名字=迈克）

And it would return all Mikes in the directory.

它会返回目录中的所有 Mike。

LDAP is usually used as authentication database. Let's say you have CMS product you sell as Software-as-a-Service. So user gets CMS and you maintain it etc.

LDAP 通常用作身份验证数据库。假设您有作为软件即服务销售的 CMS 产品。所以用户获得 CMS 并且你维护它等等。

So, you install it to examplecustomer1.com, examplecustomer2.org, examplecustomer3.net (one software per domain). Now you have THREE user databases to maintain. So you add yourself to all systems as admin and customers accounts as well.

因此，您将其安装到 examplecustomer1.com、examplecustomer2.org、examplecustomer3.net（每个域一个软件）。现在您需要维护三个用户数据库。因此，您也将自己作为管理员和客户帐户添加到所有系统中。

Then you discover LDAP. You add LDAP support to your product and now you have one central database of users. You can login as admin to all systems with your own ONE username and password. CMS system still contains user database and rights for each user but username is now used as reference to LDAP database and password field is deleted from CMS database schema.

然后您会发现 LDAP。您将 LDAP 支持添加到您的产品中，现在您拥有一个中央用户数据库。您可以使用自己的用户名和密码以管理员身份登录所有系统。CMS 系统仍然包含用户数据库和每个用户的权限，但用户名现在用作 LDAP 数据库的参考，密码字段从 CMS 数据库架构中删除。

Yes, LDAP (Lightweight Directory Access Protocol) is a protocol that runs on TCP/IP.

是的，LDAP（轻量级目录访问协议）是一种在 TCP/IP 上运行的协议。

It is used to access directory services, like Microsoft's Active Directory, or Sun ONE Directory Server.

它用于访问目录服务，例如 Microsoft 的 Active Directory 或 Sun ONE Directory Server。

A directory service is a kind of database or data store, but not necessarily a relational database. The structure is usually much simpler, storing hierarchical collections of name-value pairs, e.g. lastName=Smith, firstName=John.

目录服务是一种数据库或数据存储，但不一定是关系数据库。该结构通常要简单得多，存储名称-值对的分层集合，例如 lastName=Smith, firstName=John。

LDAP IS a protocol, but many people I know like to overload its meaning to include "any store capable of responding to LDAP queries." Active Directory is such a store, and there are many others. It is used when architects don't really care what the store is. It's used in the same as if you were to say "Store it in the SQL" when you don't care whether it's MySql or Oracle or SQL Server.

LDAP 是一种协议，但我认识的许多人喜欢将其含义重载为包括“任何能够响应 LDAP 查询的存储”。Active Directory 就是这样一个存储库，还有许多其他存储库。当建筑师并不真正关心商店是什么时使用它。当您不在乎它是 MySql 还是 Oracle 或 SQL Server 时，它的用法就像您说“将其存储在 SQL 中”一样。

LDAP stands for Lightweight Directory Access Protocol. This is an extensible open network protocol standard that provides access to distributed directory services. LDAP is an Internet standard for directory services that run on TCP/IP. Under OpenLDAP and related servers, there are two servers – slapd, the LDAP daemon where the queries are sent to and slurpd, the replication daemon where data from one server is pushed to one or more slave servers. By having multiple servers hosting the same data, you can increase reliability, scalability, and availability.

LDAP 代表轻量级目录访问协议。这是一个可扩展的开放网络协议标准，提供对分布式目录服务的访问。LDAP 是在 TCP/IP 上运行的目录服务的 Internet 标准。在 OpenLDAP 和相关服务器下，有两台服务器 - slapd，即查询被发送到的 LDAP 守护进程和 slurpd，复制守护进程，其中来自一台服务器的数据被推送到一台或多台从服务器。通过让多台服务器托管相同的数据，您可以提高可靠性、可扩展性和可用性。

It defines the operations one may perform like search, add, delete, modify, change name It defines how operations and data are conveyed.

它定义了可以执行的操作，如搜索、添加、删除、修改、更改名称。它定义了操作和数据的传送方式。

LDAP has the potential to consolidate all the existing application specific information like user, company phone and e-mail lists. This means that the change made on an LDAP server will take effect on every directory service based application that uses this piece of user information. The variety of information about a new user can be added through a single interface which will be made available to Unix account, NT account, e-mail server, Web Server, Job specific news groups etc. When the user leaves his account can be disabled to all the services in a single operation.

LDAP 具有整合所有现有应用程序特定信息（如用户、公司电话和电子邮件列表）的潜力。这意味着在 LDAP 服务器上所做的更改将对使用此用户信息的每个基于目录服务的应用程序生效。可以通过一个界面添加有关新用户的各种信息，该界面将提供给 Unix 帐户、NT 帐户、电子邮件服务器、Web 服务器、特定于工作的新闻组等。当用户离开他的帐户时可以禁用一次操作中的所有服务。

So LDAP is most useful to provide “white pages” (e.g. names, phone numbers, roles etc) and “yellow pages” (e.g. location of printers, application servers etc) like services. Typically in a J2EE application environment it will be used to authenticate and authorise users.

因此，LDAP 最适用于提供“白页”（例如姓名、电话号码、角色等）和“黄页”​​（例如打印机、应用服务器等的位置）之类的服务。通常在 J2EE 应用程序环境中，它将用于对用户进行身份验证和授权。

LDAP is a protocol created in response to the complexity of the X.500 family of protocols. It is intended to represent a hierarchical directory structure. The X.500 standard was originally intended to be used over a complete OSI layer stack and was created to fulfill the requirements of the telecom industry. LDAP was designed to use TCP/IP to provide similar functionality without the extra overhead. You can find information on X.500, OSI and LDAP on wikipedia. X.500 and OSI are both covered in most data communications textbooks as well.

LDAP 是为应对 X.500 协议族的复杂性而创建的协议。它旨在表示分层目录结构。X.500 标准最初旨在用于完整的 OSI 层堆栈，旨在满足电信行业的要求。LDAP 旨在使用 TCP/IP 来提供类似的功能，而无需额外的开销。您可以在维基百科上找到有关 X.500、OSI 和 LDAP 的信息。X.500 和 OSI 也都包含在大多数数据通信教科书中。

• http://en.wikipedia.org/wiki/X.500
• http://en.wikipedia.org/wiki/Open_Systems_Interconnection
• http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

• http://en.wikipedia.org/wiki/X.500
• http://en.wikipedia.org/wiki/Open_Systems_Interconnection
• http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

What is LDAP:

什么是 LDAP：

All LDAP is a communication protocol which Microsoft implemented for the Active directory directory service and is used for other NTDS.DIT files. Lets get the confusion out of the way. NTDS.DIT contains Active Directory database. To ACCESS the data base you need the communication protocol LDAP. Thats it. So again NTDS.DIT is a simple database i.e ADDS Database (Active Director Directory Services) How do we access it?

所有 LDAP 都是 Microsoft 为 Active Directory 目录服务实施的通信协议，并用于其他 NTDS.DIT​​ 文件。让我们摆脱混乱。NTDS.DIT​​ 包含 Active Directory 数据库。要访问数据库，您需要通信协议 LDAP。就是这样。那么 NTDS.DIT​​ 又是一个简单的数据库，即 ADDS 数据库（Active Director 目录服务）我们如何访问它？

We access it using LDAP.

我们使用 LDAP 访问它。

lets use LDAP quick example.
C:/users/data.doc

让我们使用 LDAP 快速示例。
C:/用户/数据.doc

or

或者

LDAP Syntax

CN=Bob,OU=Users,DC=Youtube,DC=Com

CN = Canonical Name (object or name)

OU = Organizational Unit (Folder in Active directory)

DC = Domain Controller (Where it is)

LDAP 语法

CN=鲍勃，OU=用户，DC=Youtube，DC=Com

CN = 规范名称（对象或名称）

OU = 组织单位（活动目录中的文件夹）

DC = 域控制器（它在哪里）

Other info: Active directory is database based on the X.500 Standard which contains all the AD object which is the NTDS.DIT file.

其他信息：活动目录是基于 X.500 标准的数据库，其中包含所有 AD 对象，即 NTDS.DIT​​ 文件。

LDAP is basically a protocol to access a directory. Directory here basically refers to a directory having information of the users present in the organisation. Examples of directory include Microsoft's Active Directory (AD) and Oracle's Internet Directory (OID). The directory basically are used for implementing the single sign on feature for the organisation by centralising user authentication and authorisation. For more details refer the below links:

LDAP 基本上是一种访问目录的协议。这里的目录基本上是指具有组织中存在的用户信息的目录。目录的示例包括 Microsoft 的 Active Directory (AD) 和 Oracle 的 Internet Directory (OID)。该目录主要用于通过集中用户身份验证和授权来实现组织的单点登录功能。有关更多详细信息，请参阅以下链接：

1. http://searchmobilecomputing.techtarget.com/definition/LDAP
2. https://eagledatagistics.com/what-is-enterprise-user-security-eus/

1. http://searchmobilecomputing.techtarget.com/definition/LDAP
2. https://eagledatagistics.com/what-is-enterprise-user-security-eus/

Yes, LDAP itself usually requires a lower level DB store. I suggest you get your hands dirty here:

是的，LDAP 本身通常需要较低级别的数据库存储。我建议你在这里弄脏你的手：

If you just install OpenLDAP & play with it... http://www.openldap.org/doc/admin22/install.html

如果您只是安装 OpenLDAP 并使用它... http://www.openldap.org/doc/admin22/install.html

...you will be forced to consider the dependencies.

...您将被迫考虑依赖关系。

One of which is, in this case, SleepyCat.

在这种情况下，其中之一是 SleepyCat。

Have fun.

玩得开心。

For more fun, here is a good philosophical discussion on the taxonomy: http://archive.oreilly.com/pub/post/ldap_is_not_a_database.html

为了更有趣，这里有一个关于分类法的很好的哲学讨论：http: //archive.oreilly.com/pub/post/ldap_is_not_a_database.html

LDAP is an internet protocol, which is used to look up data from a server, this protocol is used to store as well as retrive the information from the hierarchical directory structure. LDAP also follow a data model whch is hierarchical type. In simple term we can say its a hierarchical database where data is stored in tree like structure where leaf node hold the actual data.

LDAP 是一种互联网协议，用于从服务器查找数据，该协议用于存储和检索分层目录结构中的信息。LDAP 也遵循分层类型的数据模型。简单来说，我们可以说它是一个分层数据库，其中数据存储在树状结构中，其中叶节点保存实际数据。

LDAP never define how program function either on the client or server but it explain more about the type of messages that will be used to communicte between client and server. Message can be client requested information , server response and format of the data. These messages arepassed over TCP/IP protocal. So there should be some operation exist that will established a session connection and disconnect it after the operation completion between client and server. LDAP can bes used in the cased where large number of read operations and less number of write operation is required. For example User Authentication as we know that User Name and password are not change so frequently.

LDAP 从不定义客户端或服务器上的程序如何运行，但它更多地解释了将用于在客户端和服务器之间进行通信的消息类型。消息可以是客户端请求的信息、服务器响应和数据的格式。这些消息通过 TCP/IP 协议传递。所以应该存在一些操作，在客户端和服务器之间的操作完成后会建立会话连接并断开连接。LDAP 可用于需要大量读取操作和较少写入操作的情况。例如用户身份验证，因为我们知道用户名和密码不会经常更改。

LDAP Operations Process

LDAP 操作流程

To start the communication, the client needs to create a session with a server. This process is called as binding. To bind to the server, the client has to specify the IP address or the host name and TCP/IP port-no, where the server is attending. The client can also provide credentials like username and password to ensure proper authentication with the server. Alternatively, the client can also create an anonymous session by using default access rights. Or both parties can establish a session which uses stronger security processes like data encryption. Once the session gets established, the client then performs its intended operation on directory data. In LDAP the directory information can be managed and queried as it provides read as well as update capabilities. The client closes the session when it finished making a request. This process is called as unbinding. LDAP Modes LDAP majorly relies on to the Data Models like

要开始通信，客户端需要创建与服务器的会话。这个过程称为绑定。要绑定到服务器，客户端必须指定服务器所在的 IP 地址或主机名和 TCP/IP 端口号。客户端还可以提供用户名和密码等凭据，以确保与服务器进行正确的身份验证。或者，客户端也可以使用默认访问权限创建匿名会话。或者双方可以建立一个会话，该会话使用更强大的安全过程，如数据加密。一旦建立了会话，客户端就会对目录数据执行其预期的操作。在 LDAP 中，可以管理和查询目录信息，因为它提供读取和更新功能。客户端在完成请求后关闭会话。这个过程称为解除绑定。LDAP 模式 LDAP 主要依赖于数据模型，如

Information model The directory includes the basic unit of information and it is known as entry, which represents a real-world object like servers, people and so on. Entries include collection of attributes which define information about the object. Each attribute includes Type associated with syntax, and one or more values. The following diagram illustrates the relationship between entry and its attributes and their type & value:

信息模型 目录包括信息的基本单元，称为条目，代表现实世界的对象，如服务器、人员等。条目包括定义对象信息的属性集合。每个属性包括与语法相关联的类型，以及一个或多个值。下图说明了条目及其属性及其类型和值之间的关系：

Naming model The naming model of LDAP denotes how entries are recognized and organized. In LDAP the entries are organized in a hierarchical or tree-like structure called DIT (Directory Information Tree). The entries are ordered within the DIT according to their DN (Distinguishable Name), a unique name which clearly identifies a single entry.

命名模型 LDAP 的命名模型表示如何识别和组织条目。在 LDAP 中，条目以分层或树状结构组织，称为 DIT（目录信息树）。条目在 DIT 内根据其 DN（可分辨名称）排序，DN（可分辨名称）是一个唯一名称，可以清楚地标识单个条目。

Functional Model
LDAP defines operations requested by a client and can be divided into three categories. They are:

功能模型
LDAP 定义了客户端请求的操作，可以分为三类。他们是：

   1.  Query which is used to fetch information from a directory. Include operations like search and                   compare.

   2. Update which is used to update the information stored in the directory. Include operations like                add, modify and delete.

   3. Authentication which is  used to connect and disconnect with a server, create access rights and                preserve information. Include operations like bind, unbind and abandon.

Security Model

安全模型

In LDAP, the security model relies on the bind operation. Three different bind operations are                possible according to the security mechanisms applied. They are:

1. No Authentication

   The simplest method but could only be applied when data security isn't a problem and where no access control permissions are tangled. For example, the directory includes the address book that can be browsable by anyone. If the user left the DN and password field empty during the bind API call, the server will automatically adopt anonymous user session, and grants access along with the corresponding access controls described for this type of access.

2. Basic Authentication

   Basic authentication is the alternative simple security mechanism used in LDAP and it is employed in several other web-oriented protocols, like HTTP. In this approach, the client has to authenticate itself to the LDAP server by the way of entering a password and DN that is transferred in a clear text over the network. On the other end, the server compares the DN and password with the entries in the directory. And grants access if the password matches. Moreover, the passwords in clear text format can't guarantee confidentiality; hence, may result in password disclosure to unauthorized parties.

3. SASL (Simple Authentication and Security Layer)

   This framework has been added to LDAP V3 which adds an additional authentication method to connection-oriented protocols. This mechanism specifies a challenge & response protocol where the client and server exchange some data to ensure authentication and establish the security layer upon which the subsequent communication will be carried out. With SASL, LDAP protocol can support any sort of authentication approved upon by an LDAP client and an LDAP server.

1. 无认证

   最简单的方法，但只能在数据安全不成问题且没有访问控制权限纠结的情况下应用。例如，目录包括任何人都可以浏览的地址簿。如果用户在绑定 API 调用期间将 DN 和密码字段留空，服务器将自动采用匿名用户会话，并授予访问权限以及针对此类访问描述的相应访问控制。

2. 基本认证

   基本身份验证是 LDAP 中使用的另一种简单安全机制，它被用于其他几个面向 Web 的协议，如 HTTP。在这种方法中，客户端必须通过输入密码和 DN 的方式向 LDAP 服务器进行身份验证，该密码和 DN 在网络上以明文形式传输。在另一端，服务器将 DN 和密码与目录中的条目进行比较。并在密码匹配时授予访问权限。而且，明文格式的密码不能保证机密性；因此，可能会导致密码泄露给未授权方。

3. SASL（简单身份验证和安全层）

   此框架已添加到 LDAP V3，它为面向连接的协议添加了额外的身份验证方法。该机制指定了一种质询和响应协议，客户端和服务器在该协议中交换一些数据以确保身份验证并建立安全层，在其上进行后续通信。使用 SASL，LDAP 协议可以支持 LDAP 客户端和 LDAP 服务器批准的任何类型的身份验证。