LDAP (Lightweight Directory Access Protocol)
LDAP is a directory access protocol used to query, authenticate, and manage identities and resources stored in directory services.
What is LDAP?
Lightweight Directory Access Protocol (LDAP) is an application-layer protocol that enables applications to access and manage directory information such as users, groups, devices, and services. LDAP provides a standardized way to read and modify entries in a hierarchical directory.
LDAP is widely used as the query and access mechanism behind enterprise directory services.
Why LDAP matters
LDAP is important because it:
- Centralizes identity and resource information
- Enables authentication and authorization workflows
- Scales to large enterprise environments
- Integrates with many applications and platforms
- Serves as a foundation for IAM and SSO solutions
Many systems rely on LDAP even when it is abstracted by higher-level services.
How LDAP works (simplified)
LDAP operations typically involve:
- A client connects to a directory server
- The client authenticates (bind operation)
- The client performs queries or updates
- The server returns entries or results
- The session ends or remains open
LDAP interactions are optimized for read-heavy workloads.
LDAP directory structure
LDAP directories use a hierarchical tree structure:
- DIT (Directory Information Tree) - overall hierarchy
- Entries - objects such as users or groups
- Attributes - properties of entries
- DN (Distinguished Name) - unique path to an entry
This structure allows efficient organization and delegation.
LDAP authentication
LDAP supports authentication by:
- Verifying user credentials (bind)
- Integrating with underlying authentication systems
- Working alongside Kerberos in enterprise setups
LDAP itself does not enforce access logic - it provides identity data.
LDAP and Active Directory
In many environments:
- LDAP is the directory access protocol
- Active Directory is the directory service
- LDAP queries retrieve users, groups, and attributes from AD
LDAP is a core interface to Active Directory data.
LDAP ports and security
Common LDAP configurations:
- Port 389 - LDAP (with STARTTLS)
- Port 636 - LDAPS (LDAP over TLS)
Best practice is to encrypt LDAP traffic using TLS to protect credentials and directory data.
LDAP vs other directory protocols
| Aspect | LDAP | Proprietary APIs |
|---|---|---|
| Standardized | Yes | No |
| Platform support | Broad | Limited |
| Flexibility | High | Vendor-specific |
| Encryption | TLS-supported | Varies |
LDAP's openness makes it widely adopted.
LDAP in enterprise environments
Organizations use LDAP to:
- Authenticate users for applications
- Centralize identity data
- Integrate third-party software
- Enable role- and group-based access
- Support hybrid and legacy systems
LDAP is common in both on-prem and hybrid setups.
Security considerations
LDAP security risks include:
- Cleartext authentication if not encrypted
- Over-permissive directory access
- Exposure of sensitive attributes
- Legacy binds and weak configurations
Hardening LDAP access is essential in enterprise environments.
Common misconceptions
- "LDAP is a database"
- "LDAP replaces authentication protocols"
- "LDAP is insecure by design"
- "LDAP is obsolete in cloud environments"