The Identity Stack, Episode 2
EP01: What Is LDAP → EP02 → EP03: LDAP Authentication on Linux → …
Focus Keyphrase: LDAP internals
Search Intent: Informational
Meta Description: Understand LDAP internals: the Directory Information Tree, DN syntax, object classes, schema, and the BER bytes that travel when you run ldapsearch. (150 chars)
TL;DR
- The Directory Information Tree (DIT) is the hierarchical database LDAP stores — every entry lives at a unique path described by its Distinguished Name (DN)
- Object classes define what attributes an entry is allowed or required to have —
posixAccountadds UID, GID, and home directory;inetOrgPersonadds email and display name - Schema is the rulebook: which attribute types exist across the entire directory, what syntax each follows, and which object classes require or permit them
- An LDAP Search sends four things: a base DN, a scope (base/one/sub), a filter like
(uid=vamshi), and a list of attributes to return — the server traverses the tree and returns LDIF - Every LDAP message on the wire is BER-encoded (Basic Encoding Rules, a subset of ASN.1) — a compact binary format, not text
ldapsearchoutput is LDIF (LDAP Data Interchange Format) — the human-readable representation of what the BER payload carried
The Big Picture: From ldapsearch to Directory Entry
ldapsearch -x -H ldap://dc.corp.com -b "dc=corp,dc=com" "(uid=vamshi)" cn mail uidNumber
│
│ TCP port 389 (or 636 for LDAPS)
│ BER-encoded SearchRequest
▼
┌─────────────────────────────────────────────────┐
│ LDAP Server (AD / OpenLDAP / 389-DS / FreeIPA) │
│ │
│ Directory Information Tree │
│ │
│ dc=corp,dc=com ← search base │
│ └── ou=engineers ← scope: sub │
│ ├── uid=alice │
│ └── uid=vamshi ← filter match │
│ cn: vamshi │
│ mail: [email protected] │
│ uidNumber: 1001 │
└─────────────────────────────────────────────────┘
│
│ BER-encoded SearchResultEntry
▼
# LDIF output on your terminal
dn: uid=vamshi,ou=engineers,dc=corp,dc=com
cn: vamshi
mail: [email protected]
uidNumber: 1001
LDAP internals are the mechanics between the command you type and the directory entry you get back. EP01 explained why LDAP was invented. This episode explains what it actually does when you run it.
The Directory Information Tree
EP01 introduced the DIT as a concept inherited from X.500. Here’s what it actually looks like inside a directory.
Every LDAP directory has a root — the base DN — from which all entries descend. For a company called Corp with a domain corp.com, the base is typically dc=corp,dc=com. Below that, the tree branches into organizational units, and below those, individual entries for people, groups, services, and anything else the directory administrator decided to model.
dc=corp,dc=com ← domain root (base DN)
│
├── ou=people ← organizational unit: people
│ ├── uid=alice ← user entry
│ ├── uid=vamshi
│ └── uid=bob
│
├── ou=groups ← organizational unit: groups
│ ├── cn=engineers
│ └── cn=ops
│
├── ou=services ← organizational unit: service accounts
│ ├── cn=jenkins
│ └── cn=gitlab-runner
│
└── ou=hosts ← organizational unit: machines
├── cn=web01.corp.com
└── cn=db01.corp.com
This hierarchy is not a file system and not a relational database. It is specifically optimized for reads — the query “give me everything about this user” is the operation the protocol is built around. Writes are infrequent. Reads are constant.
Every entry in the tree has exactly one parent. There are no cross-links between branches, no foreign keys. The tree is the structure. An entry’s position in the tree is what defines it.
Distinguished Names: Reading the Path
The Distinguished Name (DN) is how you address any entry in the directory. It reads right-to-left, from the leaf to the root, with each component separated by a comma.
uid=vamshi,ou=engineers,dc=corp,dc=com
Reading right-to-left:
dc=corp,dc=com ← domain: corp.com
ou=engineers ← organizational unit: engineers
uid=vamshi ← this specific entry: user "vamshi"
Each component of a DN — uid=vamshi, ou=engineers, dc=corp — is a Relative Distinguished Name (RDN). The RDN is the attribute-value pair that uniquely identifies the entry within its parent container. Two users in the same ou=engineers cannot both have uid=vamshi — that would create two entries with identical DNs, which the directory won’t allow.
Common RDN attribute types and what they mean:
| Attribute | Stands for | Typical use |
|---|---|---|
dc |
Domain Component | Domain name segments (dc=corp,dc=com = corp.com) |
ou |
Organizational Unit | Container for grouping entries |
cn |
Common Name | Groups, service accounts, human-readable name |
uid |
User ID | Linux username — the standard RDN for user entries |
o |
Organization | Top-level org containers (less common in modern setups) |
When your Linux system calls getent passwd vamshi, SSSD translates that into an LDAP Search for an entry where uid=vamshi somewhere under the configured base DN. The full DN comes back with the result, but what your system cares about are the attributes inside it.
Object Classes and Schema
Every entry in the directory has a objectClass attribute — usually several values. Object classes define what attributes the entry is allowed or required to have.
# A typical user entry's object classes
dn: uid=vamshi,ou=engineers,dc=corp,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
Each object class contributes a set of attributes — some required (MUST), some optional (MAY):
objectClass: posixAccount
MUST: cn, uid, uidNumber, gidNumber, homeDirectory
MAY: userPassword, loginShell, gecos, description
objectClass: inetOrgPerson
MUST: sn (surname), cn
MAY: mail, telephoneNumber, displayName, jpegPhoto, ...
objectClass: shadowAccount
MUST: uid
MAY: shadowLastChange, shadowMin, shadowMax, shadowWarning, ...
When Linux authenticates a user via LDAP, it needs the posixAccount attributes: uidNumber (the numeric UID), gidNumber, homeDirectory, and loginShell. Without posixAccount, the user entry exists in the directory but can’t be used for Linux logins — getent passwd will return nothing.
Object classes are grouped into three kinds:
Groups in LDAP use their own object class:
objectClass: groupOfNames
MUST: cn, member
MAY: description, owner, ...
# A group entry looks like this:
dn: cn=engineers,ou=groups,dc=corp,dc=com
objectClass: groupOfNames
cn: engineers
member: uid=vamshi,ou=engineers,dc=corp,dc=com
member: uid=alice,ou=engineers,dc=corp,dc=com
groupOfNames stores members as full DNs — which is why the SSSD group search filter is (member=uid=vamshi,ou=...) rather than (member=vamshi). The directory stores the exact path to each member entry. posixGroup is the alternative, which stores the memberUid as a bare username string instead of a DN — Active Directory uses groupOfNames; pure POSIX environments often use posixGroup.
Object classes are grouped into three kinds:
Structural — defines what the entry fundamentally is. Every entry must have exactly one structural class. posixAccount is structural.
Auxiliary — adds additional attributes to an existing entry. shadowAccount and inetOrgPerson can be auxiliary. You can stack multiple auxiliary classes on a single entry.
Abstract — base classes that other classes inherit from. top is the root abstract class that every entry implicitly has. You never add top to an entry; it’s always there.
Schema: The Directory’s Type System
Schema is the global rulebook for the entire directory. It defines:
- Attribute type definitions — what each attribute is named, what syntax it uses (a string? an integer? a binary blob?), whether it’s case-sensitive, whether multiple values are allowed
- Object class definitions — which attributes each class requires or permits
- Matching rules — how equality comparisons work for each attribute type
The schema is stored in the directory itself, under a special entry at cn=schema,cn=config (OpenLDAP) or cn=Schema,cn=Configuration (Active Directory). You can query it:
# View the schema for the posixAccount object class
ldapsearch -x -H ldap://your-dc \
-b "cn=schema,cn=config" \
"(objectClass=olcObjectClasses)" \
olcObjectClasses | grep -A 10 "posixAccount"
# Output:
# olcObjectClasses: ( 1.3.6.1.1.1.2.0
# NAME 'posixAccount'
# DESC 'Abstraction of an account with POSIX attributes'
# SUP top
# AUXILIARY
# MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
# MAY ( userPassword $ loginShell $ gecos $ description ) )
That OID (1.3.6.1.1.1.2.0) is the globally unique identifier for the posixAccount object class. Every object class and attribute type in every LDAP directory on the planet has a unique OID assigned by an authority. This is how schema interoperability works across different directory implementations — OpenLDAP, Active Directory, and 389-DS can all understand each other’s posixAccount entries because they share the same OID.
LDAP Operations: What Actually Runs
LDAP defines eight operations. Day-to-day authentication uses two: Bind and Search.
LDAP Operation Set
──────────────────
Bind ← authenticate (prove identity)
Search ← query the directory
Add ← create a new entry
Modify ← change attributes on an existing entry
Delete ← remove an entry
ModifyDN ← rename or move an entry
Compare ← test if an attribute has a specific value
Abandon ← cancel an outstanding operation
Bind: Proving Who You Are
Before any authenticated operation, the client sends a Bind request. There are two types:
Simple Bind — the client sends its DN and password in the clear (or over TLS). This is what -x in ldapsearch means: simple authentication.
# Simple bind as a service account
ldapsearch -x \
-D "cn=svc-ldap-reader,ou=services,dc=corp,dc=com" \
-w "service-account-password" \
-H ldap://dc.corp.com \
-b "dc=corp,dc=com" \
"(uid=vamshi)"
SASL Bind — the client uses an authentication mechanism registered with SASL (Simple Authentication and Security Layer). Kerberos (via the GSSAPI mechanism) is the most common. EP05 covers Kerberos in detail.
# SASL bind using Kerberos (after kinit)
ldapsearch -Y GSSAPI \
-H ldap://dc.corp.com \
-b "dc=corp,dc=com" \
"(uid=vamshi)"
An anonymous Bind (no DN, no password) is also valid for directories configured to allow anonymous reads. Many public LDAP directories (and some internal ones, misconfigured) allow this.
Search: The Core Operation
A Search request has five required parameters:
baseObject — where in the DIT to start (e.g., "dc=corp,dc=com")
scope — how deep to look
base = only the base entry itself
one = one level below base (immediate children)
sub = entire subtree below base (most common)
derefAliases — how to handle alias entries (usually derefAlways)
filter — what to match (e.g., "(uid=vamshi)")
attributes — which attributes to return (empty = return all)
When SSSD authenticates a user login, it runs exactly two Search operations:
Search 1 — find the user's entry
base: dc=corp,dc=com
scope: sub
filter: (uid=vamshi)
attributes: dn, uid, uidNumber, gidNumber, homeDirectory, loginShell
Search 2 — find the user's group memberships
base: dc=corp,dc=com
scope: sub
filter: (member=uid=vamshi,ou=engineers,dc=corp,dc=com)
attributes: dn, cn, gidNumber
The first search locates the user entry and retrieves the POSIX attributes. The second finds all group entries that contain the user’s DN as a member. These two queries are the complete basis for a Linux login over LDAP.
Search Filters
LDAP filters follow a prefix (Polish notation) syntax. Every filter is wrapped in parentheses:
# Simple equality
(uid=vamshi)
# Presence — entry has this attribute at all
(mail=*)
# Substring match
(cn=vam*)
# Comparison
(uidNumber>=1000)
# Logical AND — both conditions must match
(&(objectClass=posixAccount)(uid=vamshi))
# Logical OR — either condition matches
(|(uid=vamshi)([email protected]))
# Logical NOT
(!(uid=guest))
# Combined — posixAccount entries with UID >= 1000 and no disabled flag
(&(objectClass=posixAccount)(uidNumber>=1000)(!(pwdAccountLockedTime=*)))
The & and | operators take any number of operands. Filter syntax looks strange the first time but is unambiguous and compact — which matters when you’re encoding it into BER for the wire.
What Actually Travels on the Wire
Every LDAP message is encoded in BER (Basic Encoding Rules), a binary subset of ASN.1. LDAP is not a text protocol.
When you run ldapsearch, the tool constructs a BER-encoded SearchRequest message and sends it over TCP. The server responds with one or more SearchResultEntry messages (one per matching entry), followed by a SearchResultDone. All of these are BER.
BER uses a type-length-value (TLV) encoding:
Tag byte(s) — what type of data this is
Length byte(s) — how many bytes of data follow
Value byte(s) — the actual data
A minimal LDAP SearchRequest for ldapsearch -x -b "dc=corp,dc=com" "(uid=vamshi)" uid looks like this on the wire:
30 45 ← SEQUENCE (LDAPMessage)
02 01 01 ← INTEGER 1 (messageID = 1)
63 40 ← [APPLICATION 3] SearchRequest
04 11 ← OCTET STRING: baseObject
64 63 3d ← "dc=corp,dc=com" (20 bytes)
63 6f 72
70 2c 64
63 3d 63
6f 6d
0a 01 02 ← ENUMERATED: scope = wholeSubtree (2)
0a 01 03 ← ENUMERATED: derefAliases = derefAlways (3)
02 01 00 ← INTEGER: sizeLimit = 0 (unlimited)
02 01 00 ← INTEGER: timeLimit = 0 (unlimited)
01 01 00 ← BOOLEAN: typesOnly = false
a7 0f ← [7] equalityMatch filter
04 03 75 69 64 ← attributeDesc: "uid"
04 06 76 61 6d ← assertionValue: "vamshi"
73 68 69
30 05 ← SEQUENCE: AttributeDescriptionList
04 03 75 69 64 ← "uid"
You don’t need to read BER by hand in practice. But knowing it’s binary — not HTTP, not JSON, not plain text — explains some things:
- Why
tcpdump port 389shows binary output you can’t read directly - Why LDAP on port 389 looks different in Wireshark than HTTP traffic
- Why
ldapsearchoutput (LDIF) is a transformation of the wire data, not the wire data itself
To see the wire protocol in action:
# Run ldapsearch with debug output (level 1 = protocol tracing)
ldapsearch -d 1 -x \
-H ldap://ldap.forumsys.com \
-b "dc=example,dc=com" \
-D "cn=read-only-admin,dc=example,dc=com" \
-w readonly \
"(uid=tesla)" cn
# You'll see output like:
# ldap_connect_to_host: TCP ldap.forumsys.com:389
# ldap_new_connection 1 1 0
# ldap_connect_to_host: Trying ldap.forumsys.com:389
# ldap_pvt_connect: fd: 5 tm: -1 async: 0
# TLS: can't connect.
# ldap_open_defconn: successful
# ber_scanf fmt ({it) ber: ← BER decoding of the response
# ber_scanf fmt ({) ber:
# ber_scanf fmt (W) ber:
# ...
The ber_scanf lines are the BER decoder working through the server’s response. Each line represents one TLV element being read off the wire.
Reading ldapsearch Output: Every Field
ldapsearch output is LDIF (LDAP Data Interchange Format), defined in RFC 2849. It’s the standard text serialization of LDAP entries.
ldapsearch -x \
-H ldap://ldap.forumsys.com \
-b "dc=example,dc=com" \
-D "cn=read-only-admin,dc=example,dc=com" \
-w readonly \
"(uid=tesla)" \
cn mail uid uidNumber objectClass
Output, annotated:
# extended LDIF
#
# LDAPv3 ← protocol version confirmed
# base <dc=example,dc=com> with scope subtree
# filter: (uid=tesla) ← your search filter echoed back
# requesting: cn mail uid uidNumber objectClass
#
# tesla, example.com ← comment: CN, base DN
dn: uid=tesla,dc=example,dc=com ← Distinguished Name — full path in the tree
objectClass: inetOrgPerson ← structural class: person with org attrs
objectClass: organizationalPerson ← auxiliary: adds telephoneNumber etc.
objectClass: person ← auxiliary: adds sn (surname)
objectClass: top ← every entry has this implicitly
cn: Tesla ← common name (from inetOrgPerson MUST)
mail: [email protected] ← email (from inetOrgPerson MAY)
uid: tesla ← userid (from inetOrgPerson MAY)
# search result
search: 2 ← messageID of the SearchResultDone
result: 0 Success ← 0 = no error; 32 = no such object; 49 = invalid credentials
# numResponses: 2 ← 1 result entry + 1 SearchResultDone
# numEntries: 1
The result: line is the one to watch when debugging. LDAP result codes:
| Code | Meaning | What it tells you |
|---|---|---|
| 0 | Success | Query ran, results returned (or no results found — check numEntries) |
| 32 | No Such Object | Base DN doesn’t exist in this directory |
| 49 | Invalid Credentials | Bind failed — wrong DN, wrong password, or account locked |
| 50 | Insufficient Access | Your bind DN doesn’t have read permission on these entries |
| 53 | Unwilling to Perform | Server refused the operation (e.g., password policy, anonymous bind disabled) |
| 65 | Object Class Violation | Add/Modify would violate schema (missing MUST attribute, unrecognized object class) |
Ports: 389, 636, and 3268
Port 389 — LDAP (plaintext, or StartTLS in-session upgrade)
Port 636 — LDAPS (LDAP wrapped in TLS from the start)
Port 3268 — Active Directory Global Catalog (plain)
Port 3269 — Active Directory Global Catalog over TLS
Port 389 vs 636: Both carry the same BER-encoded LDAP protocol. The difference is when TLS starts. On 636 (LDAPS), the TLS handshake happens before the first LDAP message. On 389 with StartTLS, the client sends a plaintext ExtendedRequest with OID 1.3.6.1.4.1.1466.20037 to initiate the TLS upgrade, then both sides continue over TLS. In production, use one or the other — never unencrypted port 389. Your credentials transit the wire on every Bind.
Ports 3268/3269 — Active Directory Global Catalog: AD organizes domains into forests. Each domain controller holds the full LDAP tree for its own domain. The Global Catalog is a read-only, partial replica of every domain in the forest — just the most-queried attributes from every object. When an application needs to find a user across domains in the same forest (not just in one domain), it queries the Global Catalog on 3268/3269 instead of a domain-specific DC on 389/636.
Forest: corp.com
├── Domain: corp.com → DC at port 389/636 (full copy of corp.com)
├── Domain: emea.corp.com → DC at port 389/636 (full copy of emea.corp.com)
└── Global Catalog → GC at port 3268/3269 (partial copy of ALL domains)
If your SSSD or application is configured to use port 3268 instead of 389, it’s talking to the Global Catalog — useful for forest-wide user lookups, but missing some less-common attributes that aren’t replicated to the GC.
Try It: ldapsearch Against Your Own Directory
If your Linux machine is joined to AD or connected to an LDAP directory, you can run these right now:
# 1. Confirm your SSSD knows where the LDAP server is
grep -E "ldap_uri|ad_domain|krb5_server" /etc/sssd/sssd.conf
# 2. Look up your own user entry
ldapsearch -x \
-H ldap://$(grep ldap_uri /etc/sssd/sssd.conf | awk -F= '{print $2}' | tr -d ' ') \
-b "dc=$(hostname -d | sed 's/\./,dc=/g')" \
"(uid=$(whoami))" \
dn objectClass uid uidNumber gidNumber homeDirectory loginShell
# 3. Find the groups you're in
ldapsearch -x \
-H ldap://your-dc \
-b "dc=corp,dc=com" \
"(member=$(ldapsearch -x ... "(uid=$(whoami))" dn | grep ^dn | cut -d' ' -f2-))" \
cn gidNumber
# 4. Check what object classes your entry has
ldapsearch -x \
-H ldap://your-dc \
-b "dc=corp,dc=com" \
"(uid=$(whoami))" \
objectClass
On a machine joined to Active Directory, the ldap_uri in sssd.conf is your domain controller’s address. On FreeIPA or OpenLDAP, it’s the directory server. The same ldapsearch commands work against all of them — because they all speak LDAP v3.
⚠ Common Misconceptions
“The DN is like a file path.” The analogy holds for reading it, but the DIT is not a file system. Entries don’t inherit permissions from parent containers the way files inherit from directories. Access control in LDAP is defined by ACLs on the server — not by position in the tree.
“LDAP is case-sensitive.” It depends on the attribute. Most string attributes (like cn and mail) use case-insensitive matching by default — (cn=Vamshi) and (cn=vamshi) return the same results. But some attributes (like userPassword and most binary types) are case-sensitive. The schema’s matching rules define this per-attribute.
“You need the full DN to search for a user.” No. The Search operation with a sub scope searches the entire subtree below the base DN. You search with a filter like (uid=vamshi) without knowing the full DN. The DN comes back in the result.
“LDAP accounts and Linux accounts are the same thing.” An LDAP user entry becomes a Linux account only if the entry has a posixAccount object class with the required POSIX attributes (uidNumber, gidNumber, homeDirectory). An LDAP entry without posixAccount can exist in the directory but getent passwd will not return it.
“The objectClass attribute can be changed freely.” Structural object classes cannot be changed after an entry is created — you’d have to delete and recreate the entry. Auxiliary classes can be added or removed. This is why correctly choosing the structural class at entry creation time matters.
Framework Alignment
| Domain | Relevance |
|---|---|
| CISSP Domain 5: Identity and Access Management | DIT structure, DN addressing, object classes, and schema are the data model underpinning every enterprise identity store — understanding them is foundational to managing directory-based IAM |
| CISSP Domain 4: Communications and Network Security | BER on port 389 is unencrypted; LDAPS (port 636) or StartTLS is required for production — wire-level understanding informs the transport security decision |
| CISSP Domain 3: Security Architecture and Engineering | Schema design and DIT hierarchy are architectural decisions with security consequences: overly permissive schemas enable privilege escalation; flat DITs make access delegation harder |
Key Takeaways
- The DIT is a hierarchical database — every entry has a unique DN that describes its path from leaf to root
- Object classes define the schema rules for each entry: what attributes are required (
MUST) vs optional (MAY), and what the entry fundamentally is - For a user to be usable for Linux logins, the directory entry needs the
posixAccountobject class withuidNumber,gidNumber, andhomeDirectorypopulated - An LDAP login is two operations: a Bind (authenticate), then a Search (retrieve POSIX attributes and group memberships)
- Everything on the wire is BER-encoded binary —
ldapsearchoutput is LDIF, a human-readable transformation of what the wire actually carries - LDAP result code 0 means success; 49 means bad credentials; 32 means the base DN doesn’t exist — these are the three you’ll debug most often
Run ldapsearch against your own directory and look at the object classes on your entry. Does it have posixAccount? Does it have shadowAccount? What attributes is your SSSD actually reading on every login — and what does it do when the LDAP server is unreachable? 👇
What’s Next
EP02 showed what’s inside the directory: the tree structure, the schema, the operations, and the wire protocol. What it left open is how Linux actually uses this information to grant a login.
LDAP is not, by itself, an authentication protocol. The Bind operation can verify a password — but that’s a tiny piece of what happens when you SSH into a machine joined to Active Directory. The full login flow runs through PAM, NSS, and SSSD before LDAP ever gets queried. EP03 traces that path.
Next: LDAP Authentication on Linux: PAM, NSS, and the Login Stack
Get EP03 in your inbox when it publishes → linuxcent.com/subscribe