The Light Weight Directory Access Protocol (LDAP) has become very popular due to its efficient and fast data access. A large number of applications/services are currently in use and being developed which use an LDAP directory as their centralized data repository.
The LDAP directory stores entries as a tree. Each entry may consist of one or more attribute names and attribute values. An entry may be uniquely identified by its distinguished name (DN) that may include a common name (cn) attribute of the entry and DN of a parent entry.
The contents of the entries are governed by an LDAP directory schema. The schema defines object classes and each entry has an objectClass attribute containing named classes defined in the schema. The objectClass attribute may be multivalued and contain the class “top” as well as some number of other classes. The schema definition for each class an entry belongs to defines what kind of object the entry may represent (e.g., a person, organization or domain). Membership in a particular class gives the entry the option of containing one set of attributes (optional attributes), and the obligation of containing another set of attributes (mandatory or required attributes). For example, an entry representing a person might belong to the class “person.” Membership in the “person” class would require the entry to contain the “sn” and “cn” attributes and allow the entry also to contain “userPassword,” “telephoneNumber” and other attributes.
Each LDAP entry may have a set of applicable access control instructions (ACIs). These ACIs determine which users have access to the attributes and attribute values of an entry and the type of access allowed to each user. The entries in the LDAP repository and schema are typically organized in a hierarchical tree type data structure. Each entry also inherits the ACIs of its parent entries. In order to evaluate the ability of a user to access an entry, the tree must be traversed to determine the applicable ACIs that the entry inherits.