Jun 20, 22 8:50 am

Was this post helpful?

What is LDAP and How is it Used?

Jun 20, 2022
| by:
Omkar Hiremath

LDAP stands for lightweight directory access protocol (LDAP) and it makes it possible for applications to query user information quickly. It’s important to understand that LDAP allows you to query for information, but it doesn’t allow you to store or create pieces of information. For storing information, you need a directory, which is a hierarchical structure that stores information about objects in a network. You can store many types of data in a directory. Therefore, you can use it to access this information on demand.

For example, imagine any business that you know, that business has to store usernames, passwords, email addresses and many other pieces of data in their directories. Once they have that information stored your applications need to be able to access that information on demand in order for the business to function. For example, every time you need to login to an application that applications need to be able to access information in the directory in order for that authentication process to be completed by comparing the credentials a user provided to those in the directory.

What is the Lightweight Directory Access Protocol (LDAP)?

LDAP was developed at the University of Michigan where Tim Howes (cofounder) was a graduate student at the time trying to replace DAP (Directory Access Protocol) by providing a low-overhead option for accessing the X.500 directory. Since it was introduced in 1993 it has been extremely popular.  itself is a vendor-neutral protocol that allows you to query your directories to get information. It is commonly used by business applications to allow them to access the information they need to function quickly and easily.

What is Active Directory?

Active directory is a directory that stores information about objects on the network and makes this information easy for administrators and users to find and use. Some common examples of objects that are included in an active directory are servers, printers, network users and computer accounts. Active Directory can also store information about user accounts such as names, passwords, phone numbers etc. Services like this integrate well with protocols like LDAP that can be used to query these directories and return information to you.

LDAP vs. Active Directory

It’s important to understand that while LDAP and active directory can be used together, they are not the same thing and they are not competitors. They are two distinct services that can be used to compliment one another. Active directory is a directory service database that stores information about objects on a network. While LDAP is a protocol that you or your applications can use to communicate with that directory service to get the information that you need.

Another important thing to note is that active directory is a Microsoft product while LDAP is a vendor neutral protocol that can be used with several directory services and is not limited to just active directory. You don’t need active directory to use LDAP, you can use LDAP to query for information as long as you have a directory service that is storing your information such as OpenLDAP.

The relationship between AD and LDAP can be compared to the relationship between Apache and HTTP:

1) HTTP is a web protocol and Apache is a web server that uses the HTTP protocol.

2) LDAP Is a directory services protocol and Active Directory is a directory server that uses the LDAP protocol.

 

LDAP Active Directory Flow System

Source @ dnsstuff.com

What is LDAP Used for?

LDAP is used for communicating with directory servers to extract or interact with data on that server. Within business you or your applications will need to access this information hundreds of times per day. Every time someone needs to authenticate to any network resource in your business, there is a directory protocol and server involved in that process.

Operation Types

Using this protocol, a person can perform several types of actions on a directory depending on what their needs are. Here are some of the common operations that a person or application will perform using the protocol:

Add: This allows you to add a new file to the database/directory. A common example of this will be adding a new user account for a new employee.

Delete: This is the opposite of the add operation and allows you to remove a file from the database. A common use case for this is removing an employee’s account following their termination and deleting their access.

Search: This allows you to start searching for a file within the database. This is useful if you want to confirm if someone has been deleted or added to the database already.

Compare: Compare to different items within your database/directory for similarities or differences. One use case for this is if you have two employees with the same job function and you want to compare their level of access to ensure that both employees have all of the permission that they need to do their job.

Modify: This is simply the ability to edit an existing file in your company’s database. This may need to be done following a promotion where the employee’s role, permissions and details change and that needs to be reflected in the database.

What is LDAP Authentication?

LDAP authentication is the process of authenticating to the LDAP server. Before you can perform any type of query the server must authenticate the user making the request. Then, the authentication follows the client/server model where the client is usually an LDAP-ready stem or application that is requesting information while the server is the LDAP server.

For this protocol authentication to take place, first a client will send a request for information stored within an LDAP database along with the user’s credentials to an LDAP server. Next, the LDAP server will authenticate the credentials submitted by the user against the user identity stored in that database. If the credentials match, then the client is granted access and receives the requested information. If the credentials don’t match, then the client is denied access to the database.

What is an LDAP Query?

This query is a command that asks your company’s directory service for a piece of information. You can think of it as the question that you want to ask. For example, if you want to know what groups a user is a part of, you will need to create an LDAP query. That query tells LDAP exactly what information you are looking for and allows it to go and find that information and return it to you. An LDAP query typically consists of four main steps:

Session Connection: This first step in creating the query is to connect to the directory server via an LDAP port.

Request: This is where a user submits the query to the server.

Response: The protocol will query the directory; find the information you are looking for and deliver it to the user.

Completion: The user disconnects from the protocol port.

Is LDAP secure?

If you are concerned with security there are ways of making LDAP more secure. While the protocol itself hasn’t been identified as a particularly vulnerable protocol, it’s best to use one of the more secure versions of it such as LDAPS (LDAP over TLS/SSL). By using LDAPS you ensure that all communication is encrypted as opposed to the traditional form where the information is transported in plaintext. TLS stands for transport layer security and this is a cryptographic protocol designed to provide communications security over a computer network. SSL stands for secure sockets layer, which was the predecessor of TLS. By using LDAP combined with TLS/SSL you make your communications much more secure than using the traditional form of the protocol.

Recap

Lightweight directory access protocol (LDAP) is a protocol that allows for users and applications to query user information easily from directory servers such as Active Directory. It works by querying directories, which is a hierarchical structure that stores information about objects on the network. This type of information can include usernames, passwords, email addresses, printer connections etc. Additionally, it allows you to extract this information and from these directories in an easy and efficient way. A big misconception about LDAP is that it is a competitor of active directory or that they are the same thing, but that is not true. LDAP is a service that works alongside services like active directory. Services like active directory are what store the information while protocols like LDAP allow you to query that information directly or through applications using your user credentials.

Was this post helpful?

About the Author

Omkar Hiremath
Omkar is a cybersecurity team lead who is enthusiastic about cybersecurity, ethical hacking, and Python. He is keenly interested in bug bounty hunting and vulnerability analysis. Omkar spends his time researching and building systems with an intent to make the world a secure place.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post

Jul 4, 2023 by Cate Callegari

Common Security Misconfiguration Habits

Read more

Was this post helpful?

Jun 5, 2023 by Omkar Hiremath

How to Properly Secure Your JWTs

Read more

Was this post helpful?

Jan 23, 2023 by Shimon Brathwaite

The Security Liabilities of 3rd Party Libraries

Read more

Was this post helpful?

Office

301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2023
Software Secured
cross