Protocol application icon

Lightweight Directory Access Protocol (LDAP)

What is LDAP (Lightweight Directory Access Protocol)?

The Lightweight Directory Access Protocol (LDAP) is a vendor-neutral application protocol used to maintain distributed directory info in an organized, easy-to-query manner. That means it allows you to keep a directory of items and information about them.

LDAP stores this data by way of records which contain a set of attributes. Think of the attributes like fields in a database. The record itself has a unique identifier, a 'Distinguished Name' in LDAP parlance, most often seen as 'DN.' This is the unique bit of each entry, kind of like the path to a file on your file system. Or perhaps more accurately similar to a street address, since postal addresses begin with the most specific bit first (house number, etc.), as do DNs. Each other attribute in the record has a name and a type, as well as one or more values.

How does LDAP authentication, authorization & access control work?

LDAP lends itself extremely well to things like access control and authorization. Which groups is a user in? Only users in the detective group should have access to the clues application, so when someone attempts to log in, ensure they are in the proper group before granting access, etc.

But how does one gain access to all of those records? The process is pretty straight forward from a flow perspective:

  1. A session begins with a client binding to an LDAP server (DSA, Directory System Agent), default port 389
  2. The client then sends an operation request (often a search or compare request, for example) to the server, asking for a particular set of information.
  3. The server then processes this query, and supplies a response.
  4. The client receives the response and unbinds, then processes the data.

What are directory information services?

Directories, or directory information services, are network databases that store information in data trees. Each entry in the tree includes (among other, less critical components) a distinguished name, a collection of attributes, and a collection of object classes.

For example, Active Directory is the proprietary directory services provider for Windows environments. LDAP is a request-response protocol that allows you to easily interact with directory servers like Active Directory by using specific entry components in order to find, view, or edit information.