Editing Lightweight Directory Access Protocol (section)

==Directory structure==
The protocol provides an interface with directories that follow the 1993 edition of the [[X.500]] model:
* An entry consists of a set of attributes.
* An attribute has a name (an ''attribute type'' or ''attribute description'') and one or more values. The attributes are defined in a ''schema'' (see below).
* Each entry has a unique identifier: its ''Distinguished Name'' (DN). This consists of its ''Relative Distinguished Name'' (RDN), constructed from some attribute(s) in the entry, followed by the parent entry's DN. Think of the DN as the [[full path|full file path]] and the RDN as its relative filename in its parent folder (e.g. if <code>/foo/bar/myfile.txt</code> were the DN, then <code>myfile.txt</code> would be the RDN).

A DN may change over the lifetime of the entry, for instance, when entries are moved within a tree. To reliably and unambiguously identify entries, a [[UUID]] might be provided in the set of the entry's ''operational attributes''.

An entry can look like this when represented in [[LDAP Data Interchange Format]] (LDIF), a plain text format (as opposed a [[binary protocol]] such as LDAP itself):
<syntaxhighlight lang="ldif">
dn: cn=John Doe,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 888 555 6789
telephoneNumber: +1 888 555 1232
mail: john@example.com
manager: cn=Barbara Doe,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
</syntaxhighlight>
"<code>dn</code>" is the distinguished name of the entry; it is neither an attribute nor a part of the entry. "<code>cn=John Doe</code>" is the entry's RDN (Relative Distinguished Name), and "<code>dc=example,dc=com</code>" is the DN of the parent entry, where "<code>dc</code>" denotes '[[Domain Name System|Domain Component]]'. The other lines show the attributes in the entry. Attribute names are typically mnemonic strings, like "<code>cn</code>" for common name, "<code>dc</code>" for domain component, "<code>mail</code>" for email address, and "<code>sn</code>" for surname.<ref>{{FOLDOC|Lightweight+Directory+Access+Protocol}}</ref>

A server holds a subtree starting from a specific entry, e.g. "<code>dc=example,dc=com</code>" and its children. Servers may also hold references to other servers, so an attempt to access "<code>ou=department,dc=example,dc=com</code>" could return a ''referral'' or ''continuation reference'' to a server that holds that part of the directory tree. The client can then contact the other server. Some servers also support ''chaining'', which means the server contacts the other server and returns the results to the client.

LDAP rarely defines any ordering: The server may return the values of an attribute, the attributes in an entry, and the entries found by a search operation in any order. This follows from the formal definitions - an entry is defined as a [[set (computer science)|set]] of attributes, and an attribute is a set of values, and sets need not be ordered.