Lightweight Directory Access Protocol (LDAP) explainedLink to this section
You probably use the Lightweight Directory Access Protocol (LDAP) a couple of hundred times a day, without even realizing it. LDAP has two goals: storing data in the LDAP directory and authenticating users so you can access the directory with a single sign-on (SSO).
It’s a protocol based on client-server interactions, where the client shows their login credentials and the server compares this against the directory. If all matches up, authentication is provided.
Knowing how LDAP works, the important terms used and the most common use cases for LDAP can help you decide whether it’s right for you.
What is LDAP?Link to this section
Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral application protocol that allows applications to quickly access information about users and organizations like files and devices in a network.
LDAP is a way for organizations to store information and data like email addresses, usernames and passwords, applications, and other IT assets. LDAP also deals with authentication, which lets users access various resources by just signing in once.
Important LDAP definitionsLink to this section
In order to understand LDAP and what it does, it’s important to first be across some basic related concepts.
- Data models: LDAP data models are the services provided by a server. These are models that describe the aspects of an LDAP directory which can include:
- The information model: this determines what information can be stored in the LDAP. This also relies on entries that identify real-world objects like users, devices, and servers.
- The naming model: how each entry and data item is identified. Each entry is assigned as Distinguished Names (DN) based on its position in the DIT hierarchy.
- The functional model: how data is accessed and what functions you can perform with an LDAP server. These functions have three main categories: query, update, and authentication.
- The security model: how user identity is checked and reviewed (a.k.a. authentication). Once a user has authenticated, the server decides the level of access that is permitted for the user.
- Modifications: modifications are used to change the content of existing entries in a directory server. These can include adding, deleting, replacing, and increasing. You can include multiple modifications in a modification request which will be applied in the order that these items are listed.
- The distinguished name (DN): DN is an LDAP entry that uniquely identifies an entry in a directory server and its position in the directory information tree (DIT).
- The relative distinguished name (RDN): an RDN is a component of the DN and ties DNs together.
- Schema: the database schema holds information regarding the structure of the database. This language is used to describe the format and characteristics of items that are situated on the server.
- URLs: an LDAP URL is a string that encloses the address and port of a directory server and other data including the DN of an entry within the server or the criteria for performing a search.
- Uniform resource identifier (URI): URI is a string of characters that identifies a resource.
How LDAP worksLink to this section
LDAP is based on client-server interaction where the user starts a session with the server called a ‘binding.’ The client then shows their credentials and the server can compare this against the directory and authenticate them based on their characteristics.
The LDAP query involves these steps:
- Session connection: the user connects to the server through an LDAP port.
- Request: the user submits an inquiry to the server.
- Response: the LDAP protocol inquires about the directory to find information and provides it to the user.
- Completion: the user disconnects from the LDAP port.
The LDAP has to authenticate the user before searching by using either of the following methods.
- Simple: the correct login credentials (username and password) that connect the user to the server.
- Simple Authentication and Security Layer (SASL): SASL is a secondary and optional service that authenticates before the user connects.
With LDAP users can complete various functions including:
- Adding: entering new files in a database.
- Deleting: removing files from a database.
- Searching: starting a query to search for something within the database.
- Comparing: looking into multiple files with similarities and differences.
- Modifying: making changes to existing entries.
Use cases for LDAPLink to this section
As an open-source and vendor-neutral protocol, LDAP works with a range of directory services, platforms, and apps. But, the most common use of LDAP is providing a primary source for storing information regarding authentication like usernames and passwords.
LDAP can be used with different applications to authenticate users including OpenVPN, Jenkins, Kubernetes, and Linux Samba. Plus, administrators can use LDAP’s single sign-on (SSO) feature to oversee access to the LDAP database.
For organizations tossing up whether to use LDAP, here are some important things to consider:
- Do you need a piece of data found and retrieved rapidly and frequently?
- Do you have a bunch of smaller data entries?
- Do you need these smaller data entries in one unified location and you don’t need a high level of organization between the data?
LDAP and Active DirectoryLink to this section
Active Directory is a Microsoft product that’s a directory service used to manage domains, users, and resources within the Windows operating system. A directory service directs domains and objects and controls which users have access to a given resource.
LDAP and Active Directory can be used simultaneously but these are two different pieces of software.
Active Directory contains information regarding each user on an entire network who is treated as an object with various characteristics like their name and email address. The task of the LDAP is to pull out the information from the Active Directory in a functional format.
LDAP uses a string-based query to pull out the information from the Active Directory such as usernames and passwords and share the object data through the network.
Storing data in the LDAP directory and authenticating users are the two main functions of LDAP. It’s a complex process that happens behind the scenes without users having to carry out a manual request. Knowing how LDAP functions can help you decide on whether your platform or company is the right fit for LDAP.