-{{I:Slapd}}'s model for directory service is based on a global directory model
-called LDAP, which stands for the Lightweight Directory Access Protocol.
-LDAP is a directory service protocol that runs over TCP/IP. The nitty-gritty
-details of LDAP are defined in RFC 1777 "The Lightweight Directory Access
-Protocol." This section gives an overview of LDAP from a user's perspective.
-
-{{I:What kind of information can be stored in the directory?}}
-The LDAP directory
-service model is based on {{I:entries}}. An entry is a collection of
-attributes that has a name, called a {{I:distinguished name}} (DN).
-The DN is used to refer to the entry unambiguously. Each of the
-entry's attributes has a {{I:type}} and one or
-more {{I:values}}.
-The types are typically mnemonic strings, like "{{EX:cn}}" for common
-name, or "{{EX:mail}}" for email address. The values depend on what type of
-attribute it is. For example, a {{EX:mail}} attribute might contain the value
-"{{EX:babs@openldap.org}}". A {{EX:jpegPhoto}} attribute would contain
-a photograph in binary JPEG/JFIF format.
-
-{{I:How is the information arranged?}}
-In LDAP, directory entries are arranged in
-a hierarchical tree-like structure that reflects political, geographic and/or
-organizational boundaries. Entries representing countries appear at the top
-of the tree. Below them are entries representing states or national
-organizations. Below them might be entries representing people,
-organizational units, printers, documents, or just about anything else you can
-think of. Figure 1 shows an example LDAP directory tree, which should help
-make things clear.
-
-
-!import "intro_tree.gif"; align="center"; title="An example LDAP directory tree"
-FT: Figure 1: An example LDAP directory tree.
-
-
-In addition, LDAP allows you to control which attributes are required and
-allowed in an entry through the use of a special attribute called
-{{I:objectclass}}.
-The values of the {{I:objectclass}} attribute determine
-the {{I:schema}} rules the entry
-must obey.
-
-{{I:How is the information referenced?}}
-An entry is referenced by its
-distinguished name, which is constructed by taking the name of the entry
-itself (called the relative distinguished name, or RDN) and concatenating the
-names of its ancestor entries. For example, the entry for Barbara Jensen in
-the example above has an RDN of "{{EX:cn=Barbara J Jensen}}" and a DN of
-"{{EX:cn=Barbara J Jensen, o=OpenLDAP Project, c=US}}". The full DN format is
-described in RFC 1779, "A String Representation of Distinguished Names."
-
-{{I:How is the information accessed?}}
-LDAP defines operations for interrogating
-and updating the directory. Operations are provided for adding and deleting
-an entry from the directory, changing an existing entry, and changing the
-name of an entry. Most of the time, though, LDAP is used to search for
-information in the directory. The LDAP search operation allows some portion
-of the directory to be searched for entries that match some criteria specified
-by a search filter. Information can be requested from each entry that matches
-the criteria.
-
-For example, you might want to search the entire directory subtree below the
-OpenLDAP Project for people with the name Barbara Jensen, retrieving
-the email address of each entry found. LDAP lets you do this easily. Or you
-might want to search the entries directly below the c=US entry for
-organizations with the string "Acme" in their name, and that have a fax
-number. LDAP lets you do this too. The next section describes in more detail
-what you can do with LDAP and how it might be useful to you.
-
-{{I:How is the information protected from unauthorized access?}}
-Some directory
-services provide no protection, allowing anyone to see the information. LDAP
-provides a method for a client to authenticate, or prove its identity to a
-directory server, paving the way for rich access control to protect the
-information the server contains.
-
+{{TERM:LDAP}} stands for {{TERM[expand]LDAP}}. As the name suggests,
+it is a lightweight protocol for accessing directory services,
+specifically {{TERM:X.500}}-based directory services. LDAP runs
+over {{TERM:TCP}}/{{TERM:IP}} or other connection oriented transfer
+services. The nitty-gritty details of LDAP are defined in
+{{REF:RFC2251}} "The Lightweight Directory Access Protocol (v3)"
+and other documents comprising the technical specification
+{{REF:RFC3377}}. This section gives an overview of LDAP from a
+user's perspective.
+
+{{What kind of information can be stored in the directory?}} The
+LDAP information model is based on {{entries}}. An entry is a
+collection of attributes that has a globally-unique {{TERM[expand]DN}}
+(DN). The DN is used to refer to the entry unambiguously. Each of
+the entry's attributes has a {{type}} and one or more {{values}}.
+The types are typically mnemonic strings, like "{{EX:cn}}" for
+common name, or "{{EX:mail}}" for email address. The syntax of
+values depend on the attribute type. For example, a {{EX:cn}}
+attribute might contain the value {{EX:Babs Jensen}}. A {{EX:mail}}
+attribute might contain the value "{{EX:babs@example.com}}". A
+{{EX:jpegPhoto}} attribute would contain a photograph in the JPEG
+(binary) format.
+
+{{How is the information arranged?}} In LDAP, directory entries
+are arranged in a hierarchical tree-like structure. Traditionally,
+this structure reflected the geographic and/or organizational
+boundaries. Entries representing countries appear at the top of
+the tree. Below them are entries representing states and national
+organizations. Below them might be entries representing organizational
+units, people, printers, documents, or just about anything else
+you can think of. Figure 1.1 shows an example LDAP directory tree
+using traditional naming.
+
+!import "intro_tree.gif"; align="center"; \
+ title="LDAP directory tree (traditional naming)"
+FT[align="Center"] Figure 1.1: LDAP directory tree (traditional naming)
+
+The tree may also be arranged based upon Internet domain names.
+This naming approach is becoming increasing popular as it allows
+for directory services to be located using the {{DNS}}.
+Figure 1.2 shows an example LDAP directory tree using domain-based
+naming.
+
+!import "intro_dctree.gif"; align="center"; \
+ title="LDAP directory tree (Internet naming)"
+FT[align="Center"] Figure 1.2: LDAP directory tree (Internet naming)
+
+In addition, LDAP allows you to control which attributes are required
+and allowed in an entry through the use of a special attribute
+called {{EX:objectClass}}. The values of the {{EX:objectClass}}
+attribute determine the {{schema}} rules the entry must obey.
+
+{{How is the information referenced?}} An entry is referenced by
+its distinguished name, which is constructed by taking the name of
+the entry itself (called the {{TERM[expand]RDN}} or RDN) and
+concatenating the names of its ancestor entries. For example, the
+entry for Barbara Jensen in the Internet naming example above has
+an RDN of {{EX:uid=babs}} and a DN of
+{{EX:uid=babs,ou=People,dc=example,dc=com}}. The full DN format
+is described in {{REF:RFC2253}}, "Lightweight Directory Access
+Protocol (v3): UTF-8 String Representation of Distinguished Names."
+
+{{How is the information accessed?}} LDAP defines operations for
+interrogating and updating the directory. Operations are provided
+for adding and deleting an entry from the directory, changing an
+existing entry, and changing the name of an entry. Most of the
+time, though, LDAP is used to search for information in the directory.
+The LDAP search operation allows some portion of the directory to
+be searched for entries that match some criteria specified by a
+search filter. Information can be requested from each entry that
+matches the criteria.
+
+For example, you might want to search the entire directory subtree
+at and below {{EX:dc=example,dc=com}} for people with the name
+{{EX:Barbara Jensen}}, retrieving the email address of each entry
+found. LDAP lets you do this easily. Or you might want to search
+the entries directly below the {{EX:st=California,c=US}} entry for
+organizations with the string {{EX:Acme}} in their name, and that
+have a fax number. LDAP lets you do this too. The next section
+describes in more detail what you can do with LDAP and how it might
+be useful to you.
+
+{{How is the information protected from unauthorized access?}} Some
+directory services provide no protection, allowing anyone to see
+the information. LDAP provides a mechanism for a client to
+authenticate, or prove its identity to a directory server, paving
+the way for rich access control to protect the information the
+server contains. LDAP also supports privacy and integrity security
+services.