Last tested: Jun 21, 2019
LDAP is a protocol for querying a directory. Usually the directory is in AD (Active Directory) form. One of LDAP's many possible functions is to authorise and authenticate users to applications like Looker.
HOW DOES LDAP WORK?
An AD stores information represented as trees of entries similar to a file system. An LDAP entry is a collection of information about an entity. Each entry consists of three primary components: a distinguished name (DN), a collection of attributes, and a collection of object classes.
Distinguished Name (DN): An entry’s distinguished name (DN) uniquely identifies that entry and its position in the directory information tree (DIT) hierarchy. The DN of an LDAP entry is much like the path to a file on a filesystem. An LDAP DN is comprised of zero or more elements called relative distinguished names (RDNs). Each RDN is comprised of one or more (usually just one) attribute-value pairs. For example, “uid=john.doe” represents an RDN comprised of an attribute named “uid” with a value of “john.doe”. If an RDN has multiple attribute-value pairs, they are separated by plus signs, like “givenName=John+sn=Doe”.
Attributes: Attributes hold the data for an entry. Each attribute has an attribute type, zero or more attribute options, and a set of values that comprise the actual data.
Object Classes: Object classes are schema elements that specify collections of attribute types that may be related to a particular type of object, process, or other entity. Every entry has a structural object class, which indicates what kind of object an entry represents (e.g., whether it is information about a person, a group, a device, a service, etc.).
What does this have to do with Looker?
When you set up Looker with LDAP, you give it a few of these attributes to bind the user to a Looker user and populate the fields Looker expects. You can additionally populate Looker user attributes from these attributes.
Sources / Additional Reading: