----
`-------------
`----
`- -----
`-----
`--- ·-
`
`Understanding LDAP
`
`Heinz Johner, Lany Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman
`
`International Technical Support Organization
`
`http://ww·w redbooks .ibm.com
`
`SG24-4986-00
`
`RingCentral Ex-1016, p. 1
`RingCentral v. Estech
`IPR2021-0057 4
`
`

`

`RingCentral Ex-1016, p. 2
`RingCentral Ex-1016,p. 2
`RingCentral v. Estech
`RingCentral v. Estech
`IPR2021-00574
`IPR2021-00574
`
`

`

`-----
`- - - -
`- ---
`- ----
`- ----
`---- -
`-=--=-=-= ':' =-
`
`International Technical Support Organization
`
`SG24-4986-00
`
`Understanding LDAP
`
`June 1998
`
`RingCentral Ex-1016, p. 3
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`Take Note!
`
`Before using this information and the product it supports, be sure to read the general information in
`Appendix D, “Special Notices” on page 161.
`
`First Edition (June 1998)
`
`Comments may be addressed to:
`IBM Corporation, International Technical Support Organization
`Dept. JN9B Building 045 Internal Zip 2834
`11400 Burnet Road
`Austin, Texas 78758-3493
`
`When you send information to IBM, you grant IBM a non-exclusive right to use or distribute the
`information in any way it believes appropriate without incurring any obligation to you.
`
`© Copyright International Business Machines Corporation 1998. All rights reserved
`Note to U.S Government Users – Documentation related to restricted rights – Use, duplication or disclosure is
`subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corp.
`
`RingCentral Ex-1016, p. 4
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`Contents
`
`Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
`
`Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix
`
`Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xi
`The Team That Wrote This Redbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
`Comments Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
`
`Chapter 1. LDAP: The New Common Directory . . . . . . . . . . . . . . . . . . . 1
`1.1 What is a Directory? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
`1.1.1 Differences Between Directories and Databases . . . . . . . . . . . . . 2
`1.1.2 Directory Clients and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
`1.1.3 Distributed Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
`1.1.4 Directory Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
`1.2 The Directory as Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
`1.2.1 Directory-Enabled Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
`1.2.2 The Benefits of a Common Directory . . . . . . . . . . . . . . . . . . . . . . 9
`1.3 LDAP History and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
`1.3.1 OSI and the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
`1.3.2 X.500: The Directory Service Standard. . . . . . . . . . . . . . . . . . . . 11
`1.3.3 LDAP: Lightweight Access to X.500 . . . . . . . . . . . . . . . . . . . . . . 12
`1.4 LDAP: Protocol or Directory? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
`1.5 The LDAP Road Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
`1.6 The Quick Start: A Public LDAP Example . . . . . . . . . . . . . . . . . . . . . . 16
`
`Chapter 2. LDAP Concepts and Architecture . . . . . . . . . . . . . . . . . . . . 19
`2.1 Overview of LDAP Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
`2.2 The LDAP Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
`2.2.1 The Information Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
`2.2.2 The Naming Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
`2.2.3 The Functional Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
`2.2.4 The Security Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
`2.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
`2.3.1 No Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
`2.3.2 Basic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
`2.3.3 Simple Authentication and Security Layer (SASL) . . . . . . . . . . . 45
`2.4 Manageability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
`2.4.1 LDAP Command Line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
`2.4.2 LDAP Data Interchange Format (LDIF) . . . . . . . . . . . . . . . . . . . . 50
`2.5 Platform Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
`
`© Copyright IBM Corp. 1998
`
`iii
`
`RingCentral Ex-1016, p. 5
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`Chapter 3. Designing and Maintaining an LDAP Directory . . . . . . . . . 57
`3.1 Directory Design Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
`3.1.1 Defining the Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
`3.1.2 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
`3.1.3 Physical Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
`3.2 Migration Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
`3.3 Example Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
`3.3.1 Small Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
`3.3.2 Large Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
`
`Chapter 4. Building LDAP-Enabled Applications . . . . . . . . . . . . . . . . . 85
`4.1 LDAP Software Development Kits (SDKs) . . . . . . . . . . . . . . . . . . . . . 86
`4.2 The C Language API to LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
`4.2.1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
`4.2.2 Synchronous and Asynchronous Use of the API . . . . . . . . . . . . . 91
`4.2.3 A Synchronous Search Example . . . . . . . . . . . . . . . . . . . . . . . . 92
`4.2.4 More about Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
`4.2.5 Parsing Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
`4.2.6 An Asynchronous Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
`4.2.7 Error Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
`4.2.8 Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
`4.2.9 Multithreaded Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
`4.3 LDAP Command Line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
`4.3.1 The Search Tool: ldapsearch . . . . . . . . . . . . . . . . . . . . . . . . . . 116
`4.3.2 The ldapmodify and ldapadd Utilities . . . . . . . . . . . . . . . . . . . . 117
`4.3.3 The ldapdelete Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
`4.3.4 The ldapmodrdn Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
`4.3.5 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
`4.4 LDAP URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
`4.4.1 Uses of LDAP URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
`4.4.2 LDAP URL APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
`4.5 The Java Naming and Directory Interface (JNDI) . . . . . . . . . . . . . . . 124
`4.5.1 JNDI Example Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
`
`Chapter 5. The Future of LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
`5.1 The IETF LDAP Road Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
`5.1.1 Access Control Requirements for LDAP . . . . . . . . . . . . . . . . . . 132
`5.1.2 Scrolling View Browsing of Search Results . . . . . . . . . . . . . . . . 133
`5.1.3 LDAP Clients Finding LDAP Servers . . . . . . . . . . . . . . . . . . . . 133
`5.2 Distributed Computing Environment (DCE) and LDAP . . . . . . . . . . . 133
`5.2.1 LDAP Interface for the GDA . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
`5.2.2 LDAP Interface for the CDS . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
`5.2.3 Future LDAP Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
`
`iv
`
`Understanding LDAP
`
`RingCentral Ex-1016, p. 6
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`5.3 Other Middleware Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
`5.4 The Directory-Enabled Networks Initiative . . . . . . . . . . . . . . . . . . . . 138
`
`Appendix A. Other LDAP References . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
`A.1 The Internet Engineering Task Force (IETF) . . . . . . . . . . . . . . . . . . . . . 139
`A.2 The University of Michigan (UMICH) . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
`A.3 Software Development Kits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
`A.4 Other Sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
`A.4.1 Vendors Mentioned in this Book . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
`A.4.2 LDAP, General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
`A.4.3 Request for Comments (RFCs) . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
`A.4.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
`
`Appendix B. LDAP Products and Services . . . . . . . . . . . . . . . . . . . . . . 143
`B.1 IBM Product Offerings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
`B.1.1 IBM eNetwork LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
`B.1.2 IBM eNetwork X.500 Directory for AIX . . . . . . . . . . . . . . . . . . . . . . 144
`B.1.3 IBM eNetwork LDAP Client Pack for Multiplatforms . . . . . . . . . . . . 145
`B.2 Lotus Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
`B.3 Tivoli User Administration: LDAP Endpoint. . . . . . . . . . . . . . . . . . . . . . . 147
`B.4 Other LDAP Server Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
`B.4.1 Netscape Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
`B.4.2 Novell LDAP Services for NDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
`B.4.3 Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
`B.5 LDAP Enabled Clients and Applications . . . . . . . . . . . . . . . . . . . . . . . . . 150
`B.6 LDAP Development Kits and Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
`B.7 Public LDAP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
`
`Appendix C. LDAP C Language API Functions and Error Codes. . . . 153
`C.1 C Language API Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
`C.1.1 Functions to Establish and Terminate a Connection . . . . . . . . . . . 153
`C.1.2 Session-Handling Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
`C.1.3 Interacting with the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
`C.1.4 Error Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
`C.1.5 Analyzing Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
`C.1.6 Freeing Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
`C.1.7 Other Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
`C.2 LDAP API Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
`
`Appendix D. Special Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
`
`Appendix E. Related Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
`E.1 International Technical Support Organization Publications . . . . . . . . . . 163
`E.2 Redbooks on CD-ROMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
`
`
`
`v
`
`RingCentral Ex-1016, p. 7
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`E.3 Other Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
`
`How to Get ITSO Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
`How IBM Employees Can Get ITSO Redbooks . . . . . . . . . . . . . . . . . . . . . . . 165
`How Customers Can Get ITSO Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
`IBM Redbook Order Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
`
`List of Abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
`
`Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
`
`ITSO Redbook Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
`
`vi
`
`Understanding LDAP
`
`RingCentral Ex-1016, p. 8
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`Figures
`
`1. Directory Client/Server Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
`2. LDAP Server Acting as a Gateway to an X.500 Server . . . . . . . . . . . . . . . 14
`3. Stand-Alone LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
`4. Search an Internet Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
`5. Results Searching an Internet Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 18
`6. Entries, Attributes and Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
`7. Example Directory Information Tree (DIT) . . . . . . . . . . . . . . . . . . . . . . . . . 29
`8. Distinguished Name Grammar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
`9. Example DIT Showing Suffixes and Referrals . . . . . . . . . . . . . . . . . . . . . . 33
`10. Referral Followed by Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
`11. Server Chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
`12. Search Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
`13. SASL Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
`14. SSL/TLS in Relationship with Other Protocols. . . . . . . . . . . . . . . . . . . . . . 47
`15. SSL/TLS Handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
`16. DNS-Type Naming Model for the Directory Tree . . . . . . . . . . . . . . . . . . . . 62
`17. Modified Tree Representation of an Organization . . . . . . . . . . . . . . . . . . . 63
`18. Sample ACL Attribute Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
`19. Setup of a Load Balancing, Replicated LDAP Cluster . . . . . . . . . . . . . . . . 70
`20. Example of an Organization’s Network . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
`21. Handling Referrals in a Partitioned Namespace . . . . . . . . . . . . . . . . . . . . 71
`22. Migration and Data Consolidation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
`23. Migration from Existing Directory Services to LDAP . . . . . . . . . . . . . . . . . 75
`24. Example Directory Tree with Attributes for a Small Organization . . . . . . . 78
`25. Partitioned Namespace Setup for the ABC Organization . . . . . . . . . . . . . 81
`26. A Load Balanced, Replicated, and Partitioned Directory Service . . . . . . . 83
`27. Synchronous Versus Asynchronous Calls . . . . . . . . . . . . . . . . . . . . . . . . . 91
`28. Different Search Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
`29. Result of a Search Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
`30. Multiple Parallel Threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
`31. JNDI API and SPI Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
`32. LDAP Interface for the GDA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
`33. LDAP Interface for NSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
`34. Tivoli Database Versus the Real Configuration . . . . . . . . . . . . . . . . . . . . 147
`
`© Copyright IBM Corp. 1998
`
`vii
`
`RingCentral Ex-1016, p. 9
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`viii
`
`Understanding LDAP
`
`RingCentral Ex-1016, p. 10
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`Tables
`
`1. Example ACL for an Employee’s Directory Entry . . . . . . . . . . . . . . . . . . . . 8
`2. Some of the LDAP Attribute Syntaxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
`3. Common LDAP Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
`4. Object Classes and Required Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 27
`5. Attribute Type String Representations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
`6. Search Filter Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
`7. Boolean Operators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
`8. Update Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
`9. Authentication Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
`10. Description of LDIF Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
`11. LDIF Fields for Specifying Organization Entries . . . . . . . . . . . . . . . . . . . . 53
`12. LDIF Fields for Specifying an Organizational Unit . . . . . . . . . . . . . . . . . . . 54
`13. LDIF Fields for Specifying an Organizational Unit . . . . . . . . . . . . . . . . . . . 55
`14. ACL Structure for Web Content Administration Using Two Groups. . . . . . 69
`15. LDAP URL APIs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
`16. JNDI Directory Context Environment Properties . . . . . . . . . . . . . . . . . . . 127
`17. Functions that Initialize and Terminate a Connection . . . . . . . . . . . . . . . 153
`18. Session-Handling Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
`19. Functions that Send or Receive Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
`20. Functions for Error Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
`21. Parsing the Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
`22. Memory-Freeing Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
`23. Other Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
`
`© Copyright IBM Corp. 1998
`
`ix
`
`RingCentral Ex-1016, p. 11
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`x
`
`Understanding LDAP
`
`RingCentral Ex-1016, p. 12
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`Preface
`
`Lightweight Directory Access Protocol (LDAP) is a fast-growing technology
`for accessing common directory information. LDAP has been embraced and
`implemented in most network-oriented middleware. As an open,
`vendor-neutral standard, LDAP provides an extendable architecture for
`centralized storage and management of information that needs to be
`available for today’s distributed systems and services.
`
`After a fast start, it can be assumed that LDAP has become the de facto
`access method for directory information, much the same as the Domain
`Name System (DNS) is used for IP address look-up on almost any system on
`an intranet and on the Internet. LDAP is currently supported in most network
`operating systems, groupware and even shrink-wrapped network
`applications.
`
`This redbook was written for those readers who need to understand the basic
`principles and concepts of LDAP. Some background knowledge about
`heterogeneous, distributed systems is assumed and is highly beneficial when
`reading this book. Because this redbook is not meant to be an LDAP
`implementation guide, it does not contain product-related or vendor-specific
`information other than that used in examples.
`
`The Team That Wrote This Redbook
`
`This redbook was produced by a team of specialists from around the world
`working at the International Technical Support Organization, Austin Center.
`
`Heinz Johner is an Advisory Systems Engineer at the International Technical
`Support Organization, Austin Center. He writes extensively on all areas of the
`Distributed Computing Environment (DCE). Before joining the ITSO, he
`worked in the services organization of IBM Switzerland and was responsible
`for DCE and Systems Management in medium and large customer projects.
`
`Larry Brown, Ph.D. is a Professional Services Technical Consultant for
`Transarc Corporation in the United States. He has 15 years of experience in
`the software industry and received his degree in Computer Engineering from
`Florida Atlantic University. His areas of expertise include distributed systems
`and transaction processing.
`
`Franz-Stefan Hinner is a Systems Engineer at the Technical Marketing &
`Sales Support in Germany. He has been with IBM for 12 years. His areas of
`expertise include Network Operating Systems, like Warp Server, Windows NT
`
`© Copyright IBM Corp. 1998
`
`xi
`
`RingCentral Ex-1016, p. 13
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`Novell NetWare, Distributed Computing Environment (DCE), Directory &
`Security Services (DSS), and Global Sign-On (GSO).
`
`Wolfgang Reis is a Software Specialist from the AIX Customer Support
`Center in Germany. He has two years of experience supporting the IBM
`Internet products. He holds a degree in Physics received from the University
`of Bonn in Germany. His areas of expertise include the products Lotus Notes
`and Domino.
`
`Johan Westman is an RS/6000 Technical Specialist working for IBM in
`Sweden. He has worked three years with RS/6000s, focusing on Network
`Computing. He holds a Master of Science in Engineering Physics degree
`from Uppsala University in Sweden. His main area of expertise is Network
`Computing solutions on IBM Midrange Server platforms.
`
`Thanks to the following people for their invaluable contributions to this
`project:
`
`Ellen Stokes
`Lead Directory Architect, IETF participant, IBM Austin
`
`Mike Schlosser
`Senior Software Engineer, LDAP Design & Architecture, IETF participant,
`IBM Austin
`
`Members of the LDAP planning and development team at IBM Austin:
`Jamil Bissar
`Mike Dugan
`Mike Garrison
`James Manon
`Mark McConaughy
`
`Special thanks go to the editors for their help in finalizing the text and
`publishing the book:
`
`Marcus Brewer
`Tara Campbell
`John Weiss
`
`Comments Welcome
`Your comments are important to us!
`
`xii
`
`Understanding LDAP
`
`RingCentral Ex-1016, p. 14
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`We want our redbooks to be as helpful as possible. Please send us your
`comments about this or other redbooks in one of the following ways:
`
` • Fax the evaluation form found in “ITSO Redbook Evaluation” on page 177
`to the fax number shown on the form.
`
` • Use the electronic evaluation form found on the Redbooks Web sites:
`
`For Internet users
`For IBM Intranet users
`
`http://www.redbooks.ibm.com
`http://w3.itso.ibm.com
`
` • Send us a note at the following address:
`
`redbook@us.ibm.com
`
`
`
`xiii
`
`RingCentral Ex-1016, p. 15
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`xiv
`
`Understanding LDAP
`
`RingCentral Ex-1016, p. 16
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`Chapter 1. LDAP: The New Common Directory
`
`People and businesses are increasingly relying on networked computer
`systems to support distributed applications. These distributed applications
`might interact with computers on the same local area network (LAN), within a
`corporate intranet, or anywhere on the worldwide Internet. To improve
`functionality, ease of use and to enable cost-effective administration of
`distributed applications information about the services, resources, users, and
`other objects accessible from the applications needs to be organized in a
`clear and consistent manner. Much of this information can be shared among
`many applications, but it must also be protected to prevent unauthorized
`modification or the disclosure of private information.
`
`Information describing the various users, applications, files, printers, and
`other resources accessible from a network is often collected into a special
`database, sometimes called a directory. As the number of different networks
`and applications has grown, the number of specialized directories of
`information has also grown, resulting in islands of information that cannot be
`shared and are difficult to maintain. If all of this information could be
`maintained and accessed in a consistent and controlled manner, it would
`provide a focal point for integrating a distributed environment into a
`consistent and seamless system.
`
`The Lightweight Directory Access Protocol (LDAP) is an open industry
`standard that has evolved to meet these needs. LDAP defines a standard
`method for accessing and updating information in a directory. LDAP is
`gaining wide acceptance as the directory access method of the Internet and
`is therefore also becoming strategic within corporate intranets. It is being
`supported by a growing number of software vendors and is being
`incorporated into a growing number of applications.
`
`Understanding LDAP explains the ideas behind LDAP and is intended to give
`the reader a detailed understanding of the architecture, use, and benefits of
`LDAP. Product-specific programming, configuration, and administration
`information is not presented; instead, the underlying concepts are discussed.
`
`Chapter 1 provides background information about what a directory service is
`and the benefits it can provide. The architecture of LDAP is discussed in
`detail in Chapter 2. Chapter 3 discusses issues related to the design and
`maintenance of an LDAP directory. Building directory-enabled applications is
`discussed in Chapter 4, which presents the LDAP programming model and
`code examples. Finally, the future of LDAP is discussed in Chapter 5. Various
`reference material is collected in the appendices.
`
`© Copyright IBM Corp. 1998
`
`1
`
`RingCentral Ex-1016, p. 17
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`1.1 What is a Directory?
`A directory is a listing of information about objects arranged in some order
`that gives details about each object. Common examples are a city telephone
`directory and a library card catalog. For a telephone directory, the objects
`listed are people; the names are arranged alphabetically, and the details
`given about each person are address and telephone number. Books in a
`library card catalog are ordered by author or by title, and information such as
`the ISBN number of the book and other publication information is given.
`
`In computer terms, a directory is a specialized database, also called a data
`repository, that stores typed and ordered information about objects. A
`particular directory might list information about printers (the objects)
`consisting of typed information such as location (a formatted character
`string), speed in pages per minute (numeric), print streams supported (for
`example PostScript or ASCII), and so on.
`
`Directories allow users or applications to find resources that have the
`characteristics needed for a particular task. For example, a directory of users
`can be used to look up a person’s e-mail address or fax number. A directory
`could be searched to find a nearby PostScript color printer. Or a directory of
`application servers could be searched to find a server that can access
`customer billing information.
`
`The terms white pages and yellow pages are sometimes used to describe
`how a directory is used. If the name of an object (person, printer) is known, its
`characteristics (phone number, pages per minute) can be retrieved. This is
`similar to looking up a name in the white pages of a telephone directory. If the
`name of a particular individual object is not known, the directory can be
`searched for a list of objects that meet a certain requirement. This is like
`looking up a listing of hairdressers in the yellow pages of a telephone
`directory. However, directories stored on a computer are much more flexible
`than the yellow pages of a telephone directory because they can usually be
`searched by specific criteria, not just by a predefined set of categories.
`
`1.1.1 Differences Between Directories and Databases
`A directory is often described as a database, but it is a specialized database
`that has characteristics that set it apart from general purpose relational
`databases. One special characteristic of directories is that they are accessed
`(read or searched) much more often than they are updated (written)
`Hundreds of people might look up an individual’s phone number, or
`thousands of print clients might look up the characteristics of a particular
`printer. But the phone number or printer characteristics rarely change.
`
`2
`
`Understanding LDAP
`
`RingCentral Ex-1016, p. 18
`RingCentral v. Estech
`IPR2021-00574
`
`

`

`Because directories must be able to support high volumes of read requests,
`they are typically optimized for read access. Write access might be limited to
`system administrators or to the owner of each piece of information. A general
`purpose database, on the other, hand needs to support applications such as
`airline reservation and banking with high update volumes.
`
`Because directories are meant to store relatively static information and are
`optimized for that purpose, they are not appropriate for storing information
`that changes rapidly. For example, the number of jobs currently in a print
`queue probably should not be stored in the directory entry for a printer
`because that information would have to be updated frequently to be accurate.
`Instead, the directory entry for the printer could contain the network address
`of a print server. The print server could be queried to learn the current queue
`length if desired. The information in the directory (the print server address) is
`static, whereas the number of jobs in the print queue is dynamic.
`
`Another important difference between directories and general purpose
`databases is that directories may not support transactions (some vendor
`implementations, however, do). Transactions are all-or-nothing operations
`that must be completed in total or not at all. For example, when transferring
`money from one bank account to another, the money must be debited from
`one account and credited to the other account in a single transaction. If only
`half of this transaction completes or someone accesses the accounts while
`the money is in transit, the accounts will not balance. General-purpose
`databases usually support such transactions, which complicates their
`implementation.
`
`Because directories deal mostly with read requests, the complexities of
`transactions can be avoided. If two people exchange offices, both of their
`directory entries need to be updated with new phone numbers, office
`locations, and so on. If one directory entry is updated, and then other
`directory entry is updated there is a brief period during which the directory will
`show that both people have the same phone number. Because updates are
`relatively rare, such anomalies are considered acceptable.
`
`The type of information stored in a directory usually does not require strict
`consistency. It might be acceptable if information such as a telephone
`number is temporarily out of date. Because directories are not transactional,
`it is not a good idea to use them to store information sens