LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network.
In a network, a directory tells you where in the network something is located. On TCP/IP networks (including the Internet), the domain name system (DNS) is the directory system used to relate the domain name to a specific network address (a unique location on the network). However, you may not know the domain name. LDAP allows you to search for an individual without knowing where they're located (although additional information will help with the search).
An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:
- The root directory (the starting place or the source of the tree), which branches out to
- Countries, each of which branches out to
- Organizations, which branch out to
- Organizational units (divisions, departments, and so forth), which branches out to (includes an entry for)
- Individuals (which includes people, files, and shared resources such as printers)
An LDAP directory can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent (DSA). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, but ensuring a single coordinated response for the user.
LDAP and Active Directory
Lightweight Directory Access Protocol is the protocol that Exchange Server uses to communicate with Active Directory. To really understand what LDAP is and what it does, it is important to understand the basic concept behind Active Directory as it relates to Exchange.
Active Directory contains information regarding every user account on the entire network (among other things). It treats each user account as an object. Each user object also has multiple attributes. An example of an attribute is the user's first name, last name, or e-mail address. All of this information exists within a huge, cryptic database on a domain controller (Active Directory). The challenge is to extract information in a usable format. This is LDAP's job.
LDAP uses a relatively simple, string-based query to extract information from Active Directory. The nice part is that this all happens behind the scenes. A regular end user will never have to manually perform an LDAP query, because Outlook is LDAP-enabled and knows how perform all the necessary queries on its own.