LDAP Functions

The LDAP functions are used to interact with directory servers that use the Lightweight Directory Access Protocol (LDAP).

LDAP was originally a subset of a much larger directory standard. Initially, LDAP was used as a simple gateway that allowed standalone clients to access x.500 directory servers. LDAP has gained in popularity, and eventually eclipsed strict x.500 in terms of deployment and use.

Most server operating systems now have some form of LDAP client services built in, including NetWare, NT 2000, and MacOS X, and there are LDAP server implementations in both commercial formats (such as iPlanet Directory) and Open Source (OpenLDAP).

LDAP is tuned to be a high-speed, TCP/IP-based, replicated, simple data retrieval method, so it's especially useful for web applications. In many cases, it's more than 15-20 times faster than retrieving information from a more complex database system. However, because LDAP is usually optimized for retrieval and replication, it often fares poorly in situations where high-speed data additions and changes are the primary considerations (in SQL terms, this is analogous to INSERT and UPDATE).

A couple of examples: For a basic directory of names, phone numbers, and addresses, which only change every few weeks, an LDAP server would be one of the best choices. To store complex individual, department-wide, and organization-wide daily appointments, which could potentially change many times a day, LDAP would be a less-than-optimal choice.

The speed benefits and detriments of LDAP are due to a few decisions made in the basic design. One feature found in many LDAP implementations is the use of a mostly flat database table design, which allows for high-speed single-table scanning, much like MySQL optimizes for single-table scanning. Another feature is a strict tree-based design, which allows for only searching relevant branchs (an important feature for global directories such as x.500, or searching a small department of 200 out of a 20,000-person organization). The final feature is a form of replication to enhance the tree design, which allows each "branch" server to replicate only the subset of the tree, so a 2,000-entry server can be set up completely independently of the main server, much like a local DNS server can be searched independently of the parent servers.

The usual sequence of operations is as follows:

Call ldap_connect() to initiate the interaction to a specific LDAP server or group of servers.

Call ldap_bind() to authenticate as a specific user; for example, the directory administrator or the user who owns a particular entry.

Perform any transactions needed.

Call ldap_unbind() or ldap_close() .