LDAP (Lightweight Directory Access Protocol) is an Internet protocol that enables access to distributed directory services, allowing organizations to centralize user authentication and authorization across enterprise environments.
LDAP connects clients with directory servers through a structured hierarchy using standardized operations for centralized authentication management.
How LDAP Works
LDAP operates through a four-stage process that begins with clients initiating TCP connections on port 389 for standard LDAP or port 636 for secure LDAPS. The Simple Authentication and Security Layer (SASL) framework enables multiple authentication methods, including Kerberos, certificate-based authentication, and password-based mechanisms, with clients and servers negotiating the strongest available authentication method to verify identity before granting directory access.
The LDAP directory structure uses a hierarchical model organized around Distinguished Names (DNs) that uniquely identify each entry. Organizations typically structure their directories around organizational units (OUs) that mirror business structures, with entries for users, groups, computers, and other resources.
LDAP in Enterprise Security
LDAP plays a foundational role in enterprise identity and access management. Active Directory, the most widely deployed enterprise directory service, uses LDAP as its primary access protocol. LDAP-enabled applications query the directory to authenticate users and retrieve authorization information, enabling centralized access control across diverse applications and systems.
Security Considerations
LDAP security requires attention to authentication strength, transport encryption, and access controls. Standard LDAP transmits data in cleartext, making LDAPS (LDAP over SSL/TLS) essential for protecting directory queries and responses from interception. LDAP injection attacks exploit applications that construct LDAP queries from user input without proper sanitization, similar to SQL injection. Organizations should implement strong authentication for directory access, monitor LDAP queries for anomalous patterns, and restrict which systems can query directory services.