You may be used to web service client server communication, where each time the web client has something to request of the web server, a connection is set up and then torn down. LDAP has a different model. In LDAP the client application connects to the server and authenticates, then requests any number of operations perhaps processing results in between requests, and finally disconnects when done.
The standard operations are as follows.
Bind (authenticate). The first operation in an LDAP session involves the client binding to the LDAP server, with the server authenticating the client. Authentication identifies the client's identity in LDAP terms, the identity which is later used by the server to authorize (or not) access to directory data that the client wants to lookup or change.
Search (lookup). After binding, the client can request that the server
return entries based on an LDAP filter, which is an expression that the
server uses to find entries that match the request, and a base DN under
which to search. For example, to lookup all entries for people with email
address bjensen@example.com
in data for Example.com,
you would specify a base DN such as
ou=People,dc=example,dc=com
and the filter
(mail=bjensen@example.com)
.
Compare. After binding, the client can request that the server compare an attribute value the client specifies with the value stored on an entry in the directory.
Modify. After binding, the client can request that the server change one or more attribute values stored on one or more entries. Often administrators do not allow clients to change directory data, so request that your administrator set appropriate access rights for your client application if you want to update data.
Add. After binding, the client can request to add one or more new LDAP entries to the server.
Delete. After binding, the client can request that the server delete one or more entries. To delete and entry with other entries underneath, first delete the children, then the parent.
Modify DN. After binding, the client can request that the server
change the distinguished name of the entry. For example, if Barbara
changes her unique identifier from bjensen
to something
else, her DN would have to change. For another example, if you decide
to consolidate ou=Customers
and
ou=Employees
under ou=People
instead, all the entries underneath much change distinguished names.
[6]
Unbind. When done making requests, the client should request an unbind operation to release resources right away for other clients.
Abandon. When a request seems to be taking too long to complete, or when a search request returns many more matches than desired, the client can send an abandon request to the server to drop the operation in progress. The server then drops the connection without a reply to the client.
[6] Renaming entire branches of entries can be a major operation for the directory, so avoid moving entire branches if you can.