LDAP configurations use a standardized hierarchical tree structure (DIT) for directories and data structure, which can be distributed over many servers. The standardization is done by the respective schema of object classes and their attributes. The tree hierarchy, in turn, breaks down or branches out into various representative political, geographic, or organizational levels as follows:
- Root (root)
- Countries
- Organizations
- Organizational units
- People
- Individuals / resources
The LDAP directory can exist on LDAP servers as a replicated complete version that synchronizes changes to the original. Queries to the directory run through LDAP servers, also called Directory System Agents (DSA), which can distribute queries to additional DSA servers, but guarantee users a fast, efficiently abstracted response.
LDAP uses an object-oriented programming approach, which includes objects, classes, inheritance, and associated polymorphism. An independent LDAP directory entry (LDAP object) is composed of attributes and the mandatory object name “Distinguished Name”. The structure of the Distinguished Name is similar to file naming conventions and prevents identical objects on one level. Attributes that make up an object each have a specific type, identified by abbreviations such as cn (common name), st (state), or sn (surname). In addition, attributes can be single- or multi-valued, depending on the type. While there are container objects that contain objects, the ends of a tree hierarchy branch into individual leaf objects.
The protocol uses specific access sequences that tell the LDAP server who is accessing the directory via the bind directive and a distinguished name (DN). BaseDN can be used to define which directory levels are eligible for search, using specifications such as base (this object), sub (this and all objects below it), or one (the level below the baseDN). Search queries are usually not performed manually by end users, but via LDAP-enabled programs (e.g. Outlook). In turn, the respective directory service controls who is allowed to access.