The LDAP directory service model is based on entries. An entry is a collection of attributes that has a name called a distinguished name (DN). The DN is used to refer to the entry unambiguously. Each of the entry's attributes has a type and one or more values. The types are typically mnemonic strings, like cn for common name, or mail for e-mail address. The values depend on what type of attribute it is. For example, a 'mail' attribute might contain the value 'jsmith@company.com'. A jpegPhoto attribute would normally contain a binary JPEG/JFIF format image.

In LDAP, directory entries are arranged in a hierarchical tree-like structure that reflects political, geographic and/or organizational boundaries. Entries representing countries appear on top of the tree. Below there are entries representing states or national organizations. Further down one usually comes across entries representing people, organizational units, printers, documents, or just about anything else you can think of. Figure 1 shows an example of an LDAP directory tree to help you make things more clear.

Figure 1: A typical directory tree.

In addition, LDAP allows you to control which attributes are required to be present in an entry or are optional, by defining a special kind of attribute called objectclass. The values of the objectclass attribute determine the schema rules the entry must obey.

An entry is referred to by its distinguished name, which is composed of the entry's name itself (called the relative distinguished name, or RDN) and concatenated names of its ancestor entries. For example, the entry for Barbara Jensen in the chart above has an RDN of 'cn=Barbara J Jensen' and a DN of 'cn=Barbara J Jensen, o=U of M, c=US'. The complete DN format is described in RFC 4514* called "String Representation of Distinguished Names."

LDAP defines operations for interrogating and updating the directory. Operations are provided for adding and deleting an entry from a directory, changing an existing entry, and changing the name of an entry. Most of the time, though, LDAP is used to search for information in the directory. The LDAP search operation allows some portion of the directory to be searched for entries that match some criteria specified by a search filter. Information can be requested from each entry that matches the criteria. For example, you might want to search the entire directory subtree below an organization for people with the name 'Barbara Jensen', retrieving the e-mail address from each entry found. LDAP lets you do this quite easily. Or you might want to search the directly below an entry representing a country for organizations with a specified name that have a fax number. This kind of task will also take no effort from LDAP.

Some directory services provide no protection, allowing anyone to view information. LDAP provides a method for clients to authenticate or prove their identity to a directory server, thus enabling substantial access control to protect the information the server contains.