LDAP (Lightweight Directory Access Protocol)

LDAP provides a standardized way to query and modify directory services that store user identities, organizational data, and access control information across enterprise environments.

Why it matters

• Foundation for centralized identity management in most enterprises.
• Enables single sign-on by providing a unified user directory for authentication.
• Supports hierarchical organizational structures (OUs, groups, users).
• Critical for integration between identity providers, applications, and network resources.

Key concepts

• Directory Information Tree (DIT): Hierarchical structure organizing entries from root to leaves.
• Distinguished Name (DN): Unique identifier for each entry (e.g., cn=john,ou=users,dc=company,dc=com).
• Attributes: Key-value pairs describing entry properties (cn, mail, memberOf).
• Schema: Definitions of object classes and attributes allowed in the directory.
• Bind operation: Authentication step before performing directory operations.

Common LDAP implementations

• Microsoft Active Directory: Most widely deployed, extends LDAP with Windows-specific features.
• OpenLDAP: Open-source implementation for Linux/Unix environments.
• FreeIPA: Red Hat's integrated identity solution combining LDAP, Kerberos, and DNS.
• Apache Directory Server: Java-based LDAP server.

Security considerations

• Always use LDAPS (LDAP over TLS) on port 636 instead of plaintext LDAP on port 389.
• Implement strong bind authentication rather than anonymous binds.
• Apply principle of least privilege to service accounts querying the directory.
• Monitor LDAP queries for enumeration attacks and credential stuffing.
• Use read-only replicas for application queries to protect the master directory.

Common pitfalls

• Exposing LDAP services directly to the internet.
• Using simple bind authentication over unencrypted connections.
• Granting applications excessive directory permissions.
• Not implementing connection pooling, causing performance issues.