Skip to main content

Lightweight Directory Access Protocol

aliases:

  • LDAP

A network protocol used to access network directory databases, which store information about authorized users and their privilege, as well as other organizational information.

LDAP is based on the X.500 series of directory standards. However, since X.500 is complicated, most other directory services are derived from LDAP. That makes LDAP not a directory standard, but actually a protocol for querying X.500-like directories.

LDAP is widely supported, most notably used in Windows Active Directory. It runs over 389/both for the insecure version.

Directories

All information is stored in a directory. Directories are like databases, where an object is a record, and object attributes are fields. In X.500, each object has a unique identifier called a distinguished name. It's made up of attribute value pairs, separated by commas. The most specific attribute is listed first, while the following ones become broader and more general.

Secure LDAP

By itself, LDAP offers no security. All transmissions are in plaintext, making it vulnerable to sniffing and spoofing attacks. Authentication (called server binding) can be implemented in several ways:

  • Simple Bind: the client provides it's distinguished name (DN) and password, but those are still passed as plaintext
  • Simple Authentication and Security Layer (SASL): A framework that allows a client and server to negotiate authentication and encryption parameters, like Kerberos for authentication and TLS for sealing and signing.
  • LDAP Secure (LDAPS): The server is installed with a digital certificate by default, which it uses to setup TLS sessions to authenticate the server and protect the user's credentials. Runs over 636/both
Back to top