Lightweight Directory Access Protocol (LDAP) is a directory protocol used to manage and access information stored in a directory. While we most commonly use LDAP in corporate environments that use Microsoft’s Active Directory Domain Services (ADDS) suite, LDAP is a vendor-agnostic protocol that we can use with many different user directories.
How Is LDAP Different From a Database?
Because LDAP’s primary function is to query data within a directory, it’s often confused with a database. That said, LDAP is not a database. It’s important to understand that while you can use LDAP to search for information in a directory, it doesn’t store data in a table or row format like traditional relational databases. Instead, it organizes the information in a hierarchical structure that you can access and search easily.
What Is LDAP Used For?
LDAP was created in 1993 to serve as a lightweight alternative to the existing X.500 directory services protocols. The X.500 directory services protocols required large amounts of computing power and bandwidth, thereby making it a resource-intensive protocol compared to its successor, LDAP. Now, 30 years later, LDAP remains widely used for a variety of purposes.
Because LDAP can query directory information, we can use it for single sign-on (SSO), where an existing account in a directory is used to authenticate a user to an application or service. Although newer protocols like OAuth2 and SAML have become more common in modern implementations of SSO, we still use LDAP in many enterprises to provide SSO capabilities.
In addition to authentication, we can use LDAP for informational purposes to query the directory for user attributes like title or department information, group membership, employee ID, access control lists and so on. Depending on the level of access a person has to the LDAP directory, it’s also possible to perform updates to the directory. We can use LDAP to add, remove or modify directory entries.
How Does LDAP Work?
LDAP is a query capability that allows services and applications to obtain user information from a directory. There are four parts to this operation:
- Session Connection — The service or application connects to the LDAP server over a dedicated port.
- Request — The user submits a query, typically a user ID or email, to the server.
- Response — The server receives the LDAP query, uses it to find the corresponding information and return it to the user.
- Completion — The connection to the LDAP server is closed.
These steps remain the same regardless of the use case because, above all else, LDAP’s purpose is to provide directory information efficiently.
While LDAP is a supported protocol by most directories in use today, it isn’t a readily available service that everyone can use. LDAP requires dedicated technological infrastructure to support client-server communication.
To deploy LDAP within an enterprise, you must have the following in place:
- Directory Server — This is typically a Microsoft Active Directory instance deployed on a domain controller server. This is where the LDAP service must be enabled and configured.
- LDAP User(s) — You need an account that’s used to authenticate to the LDAP server. This account should be adequately protected because it will have permission to query the entire directory, which includes stored password information.
- Directory Data — There must be data in the directory for the LDAP service to query. Generally, this data includes user accounts, groups and computer objects.
- LDAP Client — You’ll need to set up the computer or application that’s using the LDAP service to query directory information.
- LDAP Security — While this is optional, you should use security protocols to protect the directory information so it can’t be exposed easily. Many organizations use either the Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocol to protect the confidentiality and integrity of LDAP network traffic.
Once LDAP infrastructure is in place, any service or application that supports LDAP can be configured to use it for directory queries or authentication. You can do this by using the LDAP user account to create a connection from the service or application to the LDAP server.
Depending on the use case, this connection may remain in place long-term. For instance, you may be using the connection to authenticate users so the application must be able to query the LDAP directory for user information continually. In other cases, the connection is temporary and will close once the directory query is complete. Either way, the LDAP account used to create the initial connection is the same account you must use each time the service or application needs to connect to the LDAP server.
Directory Structure of LDAP
Similar to other directories, like Active Directory, LDAP servers organize data hierarchically in a tree structure. The top level of the directory is called the root, which typically represents the owning organization. The next level down will usually be the domain, and this is where the root will begin to branch out if the organization uses multiple domains to organize its user base.
How the information is organized depends on how the enterprise has structured its directory, but after the domain level, it’s most common to see the data objects broken down further into users, groups, computers and sometimes split out by other attributes, like department.
There are a few terms we use to describe an object’s location in the LDAP directory.
- Organizational Unit (OU) – You can think of an OU as a sub-folder of a level within the directory. For instance, user John Doe may be located in the Users OU, which is a subordinate OU of exampledomain.org (also an OU).
- Distinguished Name – Similar to an address, the distinguished name is a nomenclature used to describe where within the directory an object can be found. Using the example above, John Doe’s distinguished name would be,
In addition to describing an object’s location, LDAP directories use attributes to define the characteristics of an object. For example, you might see first name, last name, job title, department and phone number. While there are many attributes, these are the most common:
sn(surname, last name)
userPrincipalName(abbreviated as UPN, it looks like an email address but is used to define the domain the object belongs to, i.e. [email protected])
Directories That Support LDAP
While LDAP is most commonly used with Microsoft Active Directory, it’s an open protocol that is compatible for use with many other directories as well. Some other commonly used directories are: