Lightweight Directory Access Protocol (LDAP)

What is LDAP (Lightweight Directory Access Protocol)?

The Lightweight Directory Access Protocol (LDAP) is a vendor-neutral application protocol used to maintain distributed directory info in an organized, easy-to-query manner. That means it allows you to keep a directory of items and information about them.

LDAP stores this data by way of records which contain a set of attributes. Think of the attributes like fields in a database. The record itself has a unique identifier, a 'Distinguished Name' in LDAP parlance, most often seen as 'DN.' This is the unique bit of each entry, kind of like the path to a file on your file system. Or perhaps more accurately similar to a street address, since postal addresses begin with the most specific bit first (house number, etc.), as do DNs. Each other attribute in the record has a name and a type, as well as one or more values.

How does LDAP authentication, authorization & access control work?

LDAP lends itself extremely well to things like access control and authorization. Which groups is a user in? Only users in the detective group should have access to the clues application, so when someone attempts to log in, ensure they are in the proper group before granting access, etc.

But how does one gain access to all of those records? The process is pretty straight forward from a flow perspective:

1. A session begins with a client binding to an LDAP server (DSA, Directory System Agent), default port 389
2. The client then sends an operation request (often a search or compare request, for example) to the server, asking for a particular set of information.
3. The server then processes this query, and supplies a response.
4. The client receives the response and unbinds, then processes the data.

What are directory information services?

Directories, or directory information services, are network databases that store information in data trees. Each entry in the tree includes (among other, less critical components) a distinguished name, a collection of attributes, and a collection of object classes.

For example, Active Directory is the proprietary directory services provider for Windows environments. LDAP is a request-response protocol that allows you to easily interact with directory servers like Active Directory by using specific entry components in order to find, view, or edit information.

Security concerns around LDAP

LDAP is an industry standard application protocol for accessing and maintaining distributed directory information and authentication services. Because of its nature as an identity access and management protocol, LDAP traffic can include sensitive data, such as Active Directory usernames, login attempts, and failed-login notifications. Additionally, this data is often unencrypted. By default, the LDAP protocol is not secure on its own. If attackers are able to obtain that data, they could use legitimate Active Directory credentials and access valuable assets on your network.

How do I secure LDAP?

It is a best practice to encrypt LDAP traffic. While advanced LDAP encryption is key to good cybersecurity, so are smart implementations and the ability to decrypt and monitor traffic without compromising other security controls. Anomalies in things like LDAP credential errors can be early indicators of an attack. Modern security solutions usually support LDAP for authentication and authorization. For example, a user can configure their security system to authenticate users remotely with an existing LDAP server, rather than storing user credentials locally.

LDAP vs. SAML

Both LDAP and SAML are remote authentication protocols which can be implemented securely, making them both potentially good choices. The biggest difference is that LDAP was designed in the early 90s, long before public cloud, SaaS, and the need to support a remote workforce. SAML was created in the early 2000s and was intended to federate identities to web apps. Because SAML assertion happens as XML and is easily implemented as HTTPS, it doesn't require StartTLS or a special secure version of the protocol (LDAPS). Enabling MFA doesn't require deviation from the protocol specs—a necessary step to hold the connection open with LDAP because MFA was never intended. For these reasons, when both options are on the table, SAML is generally the better choice.

Additional Readings from the Blog

• How to Easily Spot LDAP Clear Text Binds Before the Windows Update
• LDAP Encryption: What You Need to Know in 2024