Light Weight Directory Access Protocol (LDAP) has become very popular due to its efficient and fast data access. A large number of applications/services are currently in use and being developed which utilize an LDAP directory as their centralized data repository.
The LDAP directory stores entries as a tree. Each entry may consist of one or more attribute names and attribute values. An entry may be uniquely identified by its distinguished name (DN) that may include a common name (cn) attribute of the entry and DN of a parent entry.
The contents of the entries are governed by an LDAP directory schema. The schema defines object classes and each entry has an objectClass attribute containing named classes defined in the schema. The objectClass attribute may be multivalued and contain the class “top” as well as some number of other classes. The schema definition for each class an entry belongs to defines what kind of object the entry may represent (e.g., a person, organization or domain). Membership in a particular class gives the entry the option of containing one set of attributes (optional attributes), and the obligation of containing another set of attributes (mandatory or required attributes). For example, an entry representing a person might belong to the class “person.” Membership in the “person” class would require the entry to contain the “sn” and “cn” attributes, and allow the entry also to contain “userPassword,” “telephoneNumber,” and other attributes. An LDAP directory server may access specific data items in the LDAP directory in response to a client request.
The LDAP server retrieves attributes and entries from the LDAP directory that are stored in the LDAP repository. The attributes and entries may be requested by a query including a filter. A query may request specific entries, attributes or attribute values. A query may include a filter which defines a search for LDAP entries by specifying search terms such as attributes and attribute values of desired entries. The filter may include logic defining the relationship between search terms. Some of the LDAP entries, attributes and attribute values that are requested may be stored in a cache or indexed. Some of the requested attributes or search terms may be virtual attributes. Virtual attributes are not cached or indexed, because they frequently change and there is no mechanism for accounting for the change in the LDAP server. Some attributes may also change such that the LDAP server is not aware of the changes and the cache and index become inaccurate.