LDAP (Light­weight Directory Access Protocol)

LDAP was developed as an ap­pli­ca­tion and access protocol for directory service providers. The LDAP protocol can be used to search, modify, or au­then­ti­cate data, in­for­ma­tion, and items on a large scale in dis­trib­uted directory services and to manage com­mu­ni­ca­tions with directory databases.

LDAP, written out “Light­weight Directory Access Protocol”, belongs to the group of network protocols and is used as a stan­dard­ized access protocol for queries and changes according to the client-server model in dis­trib­uted, central directory services. In this context, the term LDAP server is often used when directory servers com­mu­ni­cate via the LDAP protocol. The “light­weight” comes from the fact that it is con­sid­ered a light­weight variant of the DAP access protocol (Directory Access Protocol) specified according to X.500. Since DAP is too complex for effective im­ple­men­ta­tion in large en­ter­pris­es with extensive user data, LDAP is often used in practice.

LDAP is based on a TCP/IP protocol stack and can be used flexibly for any directory system. For the transport of data, it can use TCP and UDP ports. It is par­tic­u­lar­ly common in areas and in­dus­tries that need to process and manage large amounts of data and in­for­ma­tion, such as telecom­mu­ni­ca­tions, aviation, IT, and hardware and software de­vel­op­ment. Standard ports for data transfers are port 389 for unsecured data transfers and port 636 for TLS encrypted data transfers.

Important and common tasks and uses of LDAP include:

• Central storage/au­then­ti­ca­tion/au­tho­riza­tion of user data and passwords.
• Inserting entries and op­er­a­tions into the directory database
• Au­then­ti­cate or bind sessions
• Modify, search, compare, extend, or delete directory entries
• Searching schemas
• Sub­mit­ting queries
• Unbinding op­er­a­tions

LDAP con­fig­u­ra­tions use a stan­dard­ized hi­er­ar­chi­cal tree structure (DIT) for di­rec­to­ries and data structure, which can be dis­trib­uted over many servers. The stan­dard­iza­tion is done by the re­spec­tive schema of object classes and their at­trib­ut­es. The tree hierarchy, in turn, breaks down or branches out into various rep­re­sen­ta­tive political, ge­o­graph­ic, or or­ga­ni­za­tion­al levels as follows:

• Root (root)
• Countries
• Or­ga­ni­za­tions
• Or­ga­ni­za­tion­al units
• People
• In­di­vid­u­als / resources

The LDAP directory can exist on LDAP servers as a repli­cat­ed complete version that syn­chro­nizes changes to the original. Queries to the directory run through LDAP servers, also called Directory System Agents (DSA), which can dis­trib­ute queries to ad­di­tion­al DSA servers, but guarantee users a fast, ef­fi­cient­ly ab­stract­ed response.

LDAP uses an object-oriented pro­gram­ming approach, which includes objects, classes, in­her­i­tance, and as­so­ci­at­ed poly­mor­phism. An in­de­pen­dent LDAP directory entry (LDAP object) is composed of at­trib­ut­es and the mandatory object name “Dis­tin­guished Name”. The structure of the Dis­tin­guished Name is similar to file naming con­ven­tions and prevents identical objects on one level. At­trib­ut­es that make up an object each have a specific type, iden­ti­fied by ab­bre­vi­a­tions such as cn (common name), st (state), or sn (surname). In addition, at­trib­ut­es can be single- or multi-valued, depending on the type. While there are container objects that contain objects, the ends of a tree hierarchy branch into in­di­vid­ual leaf objects.

The protocol uses specific access sequences that tell the LDAP server who is accessing the directory via the bind directive and a dis­tin­guished name (DN). BaseDN can be used to define which directory levels are eligible for search, using spec­i­fi­ca­tions such as base (this object), sub (this and all objects below it), or one (the level below the baseDN). Search queries are usually not performed manually by end users, but via LDAP-enabled programs (e.g. Outlook). In turn, the re­spec­tive directory service controls who is allowed to access.

LDAP, along with Kerberos, SMB and DNS, is one of the four central standard protocols that provide seamless com­mu­ni­ca­tion and data transfers in Microsoft’s Active Directory. Active Directory is designed to be used as a directory service in Exchange Servers with LDAP support to provide unified queries to Active Directory di­rec­to­ries and to integrate LDAP-based services into the AD en­vi­ron­ment.

Active Directory is a powerful, rel­a­tive­ly scalable directory service for large en­ter­pris­es with several thousand employees and focuses on Windows struc­tures. The LDAP Protocol, on the other hand, offers more flex­i­bil­i­ty and ex­ten­si­bil­i­ty for large de­ploy­ments with branched user com­mu­ni­ties due to its Linux/Unix en­vi­ron­ment and open source com­pat­i­bil­i­ty. For this reason, LDAP and LDAP servers are also used in in­dus­tries such as mobile com­mu­ni­ca­tions and aviation, where several million user au­then­ti­ca­tion requests are processed.

Use cases in which the use of LDAP is worth­while include:

• User and system ad­min­is­tra­tion
• Mapping of protocols and RFCs
• NIS in­for­ma­tion/boot in­for­ma­tion
• Ad­min­is­tra­tion of DNS zone data and mount­points
• Or­ga­ni­za­tion of aliases (email) and DHCP servers

LDAP is par­tic­u­lar­ly prevalent in areas that rely on com­pre­hen­sive address queries and user au­then­ti­ca­tion. These include:

• Address books: Man­age­ment software solutions for digital contact/address books such as Mozilla Thun­der­bird, Microsoft Outlook, or Apple Contacts.
• User man­age­ment: Directory services for user man­age­ment such as Apple Open Directory, Microsoft Active Directory, or NetlQ eDi­rec­to­ry.
• Au­then­ti­ca­tion: Pro­gram­ming in­ter­faces for user au­then­ti­ca­tion such as PAM.
• User data man­age­ment: Or­ga­ni­za­tion/man­age­ment of user data in POP/IMAP/SMTP servers or in database systems and mail servers such as qmail, sendmail, or exim.
• Document man­age­ment systems: Le­git­imiza­tion of re­quest­ing users or gen­er­a­tion of telephone di­rec­to­ries as in mul­ti­func­tion printers, AntiSpam solutions, VoIP, WebProxy, or NetScaler.

LDAP enables optimized au­then­ti­ca­tion, au­tho­riza­tion, and an efficient search for address and user data. Because of its many benefits for en­ter­pris­es, LDAP serves as an industry standard that most software products support. The main ad­van­tages are fast queries and con­nec­tions, a lean query language, and the clearly struc­tured protocol. Access to data and its readout in LDAP-enabled directory services is fast thanks to non-nor­mal­ized data storage. This is par­tic­u­lar­ly no­tice­able in areas with many small, not strongly sub­di­vid­ed data entries.

LDAP also offers a lot of time savings and powerful data struc­tures for regular queries in large data sets or for dis­trib­uted data storage, including server-wide dis­trib­uted directory services, coupled directory repli­ca­tion for data rec­on­cil­i­a­tion, and reliable high avail­abil­i­ty. The SSL/TLS-secured LDAP variant LDAPS also guar­an­tees en­cryp­tion of sender and recipient data and therefore cer­tifi­cate-based au­then­ti­ca­tion. By es­tab­lish­ing an SSL/TLS con­nec­tion, the data exchange is ad­di­tion­al­ly protected against ma­nip­u­la­tion and data theft.