LDAP stands for Lightweight Directory Access Protocol and it allows applications to make rapid queries of user information. In this article we’ll give you the lowdown on what the protocol is for, how it works, and basically everything you need to know to become an LDAP genius!
Explain LDAP to me – what exactly is it?
LDAP is pronounced “el dap”, and it’s a vendor-neutral language that’s used to manage users, attributes, and authentication. It is a lightweight version of X.500. It was created back in 1993, although back in the day it was known as LDBP (much harder to say – we agree), with the B standing for browsing.
LDAP is one of the core protocols that is used for managing users and their access rights. Today, it’s one of many protocols that will be used for directory services, to access data such as email addresses, credentials, and other static data. After deciding on a method of directory storage, LDAP can also add, delete or change records, and even search the records so that users can be authenticated and authorized to access specific resources.
LDAP has three core functions. First, it can update directory information with adds, deletes or modifications. Secondly it can query – which means searching and also comparing information within the directory. Finally, it can authenticate, either authorizing an action or abandoning the function so that the server cannot complete the requested task. A typical LDAP query will have four parts to it, connection, request, response and completion.
Employees will probably connect using LDAP regularly, likely every single day. This could be anything from when they verify a password to when they connect to a printer or another device.
The basics of LDAP
If you’re just starting out with LDAP, you’ll need a boost to your vocabulary. There are a whole slew of new terms to understand in the world of LDAP protocols! Here are some of the first ones you might come across: (You can access a much more comprehensive list right here.)
# Information Tree: An information tree, or a directory information tree is how LDAP structures its data, and will be used to represent all the directory service entries. You might see this written as DIT.
# Distinguished Name: Often abbreviated to DN, this will be the unique identifier for every LDAP entry. It also will be how you differentiate between information on the DIT.
# Relative Distinguished Name: This term describes how DNs are related to one another in terms of their location on the DIT. See? You’re getting the lingo already!
# Modifications: Whenever LDAP users make a request to change the data, this is a modification. For example, they might add, replace or delete data.
# Object identifier: Also known as an OID, this is a string of numbers, separated by periods, that acts as a unique identifier for an element in the LDAP protocol. One use is for request and response controls.
# Schema: This is the name for the coding of your LDAP, and specifies all the information that a directory server might include. Think about attributes, rules, object classes, and more.
# LDAP URIs: These are mostly used for referrals, or to specify the properties of establishing connections. A URI (uniform resource identifier) will bring together a number of disparate pieces of information.
What’s the difference between LDAP and Active Directory?
A lot of people will use the terms LDAP and AD interchangeably, but that’s a recipe for disaster! In fact, while Microsoft might have created a lot of Active Directory basics from LDAP, and it uses LDAP, they are not the same. AD usually uses Kerberos for authentication, a totally different protocol altogether. AD also needs domain controllers, and is not vendor neutral, it works best with Windows devices and operating systems, as it’s a Microsoft tool.
While LDAP and AD do work well together, AD is used for organizing Windows IT assets, while LDAP can be used with other programs, for example Linux-based systems.
LDAP on the cloud
LDAP was built for on-premises systems, but today, the majority of enterprise and business workloads are on the cloud. Enter the idea of directory-as-a-service, a new technology where cloud friendly LDAP is built for the modern era. With this model, the servers for cloud LDAP already exist on the cloud, and so organizations don’t need to set up and manage the core directory itself, or integrate their systems and processes. Instead, they can just direct their LDAP-connected endpoints and they are good to go.
What are the pros of LDAP?
If you’re wondering whether LDAP is the right protocol for you, here are some great reasons to say yes!
First of all, it’s open source. That means it doesn’t cost you anything, and you can get a lot of support from the IT community when setting it up and managing it in your own corporate or client environment. However, unlike a lot of open-source tools, it’s also standardized – being given a standard by RFC 2251. That means the industry will continue to support this protocol.
You can use LDAP for a lot of different use cases, and it’s compatible with a broad number of operating systems and assets. That makes it a super flexible choice. Lastly, it’s very secure, and communications can be encrypted over SSL or TLS.
Now let’s talk about the cons – are there any?
Like any IT decision, there are always going to be some downsides, or negative considerations. First of all, there are definitely newer protocols which might be a better choice, especially if you’re working on the cloud. Secondly, this isn’t the kind of protocol that you can get started with as a newbie. LDAP set up and maintenance generally needs someone with a bit of networking expertise. The larger your organization, the more problems you’re going to have setting up your directory to be an accurate representation of your business environment.