- Knowledge base
- Active Directory management
- Active Directory reports
- Active Directoy integrations
- Active Directory automation
- Active Directory delegation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- AD migration
- Access certification
- Identity risk assessment
- Risk exposure management
- FAQs
- Pricing
- Online demo
- Request support
- Get quote
Have you ever wondered what happens every time an employee logs in to their computer at work, accesses a shared drive, or sends an email from their work email? Something is at work behind the scenes to verify who they are and what they are allowed to do in your organization's environment. And most of the time, that something is LDAP.
So what exactly is LDAP? How does it work?
What is LDAP?
LDAP, or Lightweight Directory Access Protocol, is a way for applications to talk to a directory. It is an open-standard protocol used to access and manage directory services. In this case, a directory service is a database that contains information about users, devices, groups, and other network resources.
How LDAP works
LDAP works on a client-server model. The client, which could be a computer program or a website, initiates a connection and sends requests to the LDAP server. The server then processes these requests and sends back responses.
Here is what a typical LDAP interaction looks like:
The client connects to the LDAP server and logs in with its credentials. This is called a bind operation. Once logged in, the client can perform actions like searching for entries, viewing attributes, creating new records, and updating or delete existing ones. Once the client is done, it will send an unbind request to close the connection.
The directory is organized like a tree. Each node is called an entry and each entry has a distinguished name (DN) that identifies exactly where it is in the tree. For example, a person called Jane Smith in the marketing department might look like:
cn=Jane Smith, ou=Marketing, dc=company, dc=com
An LDAP query uses filters to find out what you are looking within a directory. For example, you can use the filter objectClass=person to find all the people in that directory. You can scope an LDAP search to a single entry, a single level of the tree, or the entire subtree beneath a base DN.
LDAP operations
LDAP defines a very specific set of operations that client applications can perform against a directory server. Every interaction, from logging in to updating a record, maps to one of these operations.
| Operation | What it does |
|---|---|
| Bind | Authenticates the client to the server. This is always the first step in an LDAP session. |
| Unbind | Closes the connection between the client and the server. |
| Search | Queries the directory for entries that match a given filter and scope. |
| Compare | Checks whether a specific attribute in an entry holds a specific value, without returning the full entry. |
| Add | Creates a new entry in the directory. |
| Modify | Updates attributes on an existing entry—adds, replaces, or deletes attribute values. |
| Delete | Removes an entry from the directory. |
| Modify DN | Renames or moves an entry within the directory tree. |
| Abandon | Tells the server to stop processing a previous request that is no longer needed. |
| Extended | A catch-all operation for capabilities not covered by the standard set, such as initiating STARTTLS. |
Most day-to-day LDAP activities, like authentication and user lookups, involve only Bind, Unbind, and Search operations. The others are usually reserved for directory administrators and provisioning systems.
The building blocks of LDAP
Before exploring what LDAP can do for your company, let's understand the mechanics that make it work.
How LDAP authentication works
One of the most common uses of LDAP is to authenticate users. When a user tries to log in to an application that uses LDAP authentication, the application takes their username and password and sends it to the LDAP server. The server checks if the provided credentials match what's stored in the directory. If they match, the user is logged in and the session is established. If not, access is denied.
What is an LDAP server?
An LDAP server implements the LDAP protocol and stores all the directory data. It listens for any client requests, processes them against the directory, and sends back appropriate responses.
Microsoft Active Directory, OpenLDAP, and Apache Directory Server are examples of some well-known LDAP servers.
LDAP schema: The rule book behind the directory
The LDAP schema defines the rules and structure for everything stored in the directory. It decides:
- What object classes exist
- What attributes each class can have
- What data type those attributes accept
- How they can be matched in queries
LDAP ports: What you need to know
Port 389 is the default port for standard LDAP communication. This means when a client talks to an LDAP server, it uses this port to send its requests. However, the data sent over this port is transmitted in plantext, meaning it can be intercepted.
LDAPS, which is LDAP over SSL/TLS, uses port 636. This port encrypts the data being transmitted between the client and server. This is the recommended choice.
In Microsoft Active Directory environments, port 3268 is used to query the global catalog for cross-domain lookups. Port 3269 is its encrypted counterpart.
Common LDAP terms
The LDAP protocol has its own vocabulary. Here are a few terms that you might encounter:
| Term | Description |
|---|---|
| Distinguished name (DN) | Identifies exactly where an entry lives in a directory server. |
| Relative DN | Identifies the entry within its parent container. |
| Base DN | Defines the top of the directory subtree that the search will cover. |
| Bind DN | Defines the DN of the account used to authenticate to the LDAP server. |
| Object Class | Determines what attributes the entry must or may have. |
| Attribute | Encompasses individual pieces of data stored in an entry. |
| Entry | Represents a single record in the directory. |
| Directory Information Tree | Defines the overall hierarchical structure of the directory. |
| Organizational unit | Defines the container used to organize entries within the directory. |
| Domain component | Represents the parts of a domain name in the directory tree. |
LDAP attributes
LDAP attributes are the individual data fields stored within a directory or an entry. Each attribute comprises a name, data type, and one or more values. Here are some commonly used LDAP attributes:
| Attribute | Full name | What it stores |
|---|---|---|
| cn | Common name | Full name of a user or object |
| sn | Surname | User's last name |
| uid | User ID | Login username |
| Email address | ||
| ou | Organizational unit | Department or group the entry belongs to |
| dc | Domain component | Component of the domain name |
| dn | Distinguished name | Full, unique path of the entry |
| userPassword | User password | Stored credential (hashed) |
| telephoneNumber | Telephone number | Contact phone number |
| givenName | Given name | User's first name |
| objectClass | Object class | Defines type of entry and its required attributes |
| member | Member | Members of a group entry |
| memberOf | Member of | Groups an entry belongs to |
What is LDAP used for?
You might be wondering why companies still use LDAP given that there are other ways now to manage user identities. Here's why:
- Centralized user and group management: LDAP servers continue to be the source of truth for user accounts, credentials, group memberships, and identity attributes across an organization. This centralization makes life cycle management easier and more manageable.
- Authentication and authorization: Internal and third-party applications continue to use LDAP for authentication and authorization. LDAP authentication is supported natively by email servers, VPN gateways, file servers, and countless enterprise applications.
- Legacy system support: Many enterprise systems were built years ago with LDAP integration included. Replacing them now would be expensive and risky.
Additionally, LDAP works on different kinds of computers and operating systems and can be used with many different tools and platforms.
LDAP vs. Active Directory
| Active Directory | LDAP |
|---|---|
| Directory service by Microsoft | Protocol |
| Stores and organizes data about users, computers, and resources within a Windows environment | One of the protocols that Active Directory uses to communicate (along with Kerberos, DNS, and others) |
| Provides authentication, authorization, and policy management | Helps client applications query Active Directory for directory information |
In most enterprise environments, these two work together. LDAP allows non-Microsoft applications to communicate with Active Directory, making it easier to manage user identities.
LDAP vs. other authentication methods
| LDAP | Kerberos | SAML | OAuth/OIDC | RADIUS | |
|---|---|---|---|---|---|
| Best for | Directory queries and internal app authentication | Network SSO in Windows environments | Web-based SSO | Modern web or mobile apps | Network device authentication |
| On-premises | ✓ | ✓ | Partial | Partial | ✓ |
| Cloud-native | Limited | Limited | ✓ | ✓ | Limited |
| Legacy support | Strong | Strong | Limited | Limited | Strong |
LDAP vs. LDAPS
LDAP and LDAPS serve the same purpose. They both help connect clients to a directory server, but they differ in how they handle security of these connections.
| LDAP | LDAPS | |
|---|---|---|
| Port | 389 | 636 |
| Encryption | None by default (STARTTLS optional) | TLS from the first byte |
| Data in transit | Plaintext unless STARTTLS is enforced | Always encrypted |
| Certificate required | Only if using STARTTLS | Yes |
| Risk | Credentials can be intercepted | Significantly lower risk |
| Recommended for | Internal read-only queries on isolated networks | All production environments |
LDAP best practices
Here are a few best practices to follow when using LDAP in your environment:
- Use LDAPS or enforce STARTTLS.
- Use dedicated service accounts with least privilege.
- Disable anonymous binding.
- Apply strict ACLs on directory entries.
- Enforce account lockout and password policies.
- Sanitize all user input before constructing LDAP queries.
- Audit and monitor LDAP activity.
- Regularly review and clean up directory entries.
Common LDAP vulnerabilities
LDAP injection gets the most attention, but it is not the only way attackers exploit directory services. Here are the vulnerabilities your security team should know about:
- LDAP injection: Special characters injected into input fields manipulate LDAP filter logic, enabling authentication bypass or data extraction.
- Anonymous binding: Servers that accept unauthenticated queries let anyone on the network enumerate users, groups, and organizational structure without credentials.
- Cleartext transmission: Standard LDAP on port 389 without STARTTLS sends credentials in plaintext, making them trivial to intercept.
- Overly permissive ACLs: Service accounts with more access than they need turn a single compromised account into a broad directory exposure.
- Brute force against LDAP bind: No account lockout policy means authentication endpoints are open to credential stuffing and password spraying.
- Server misconfiguration: Default credentials, open ports, and unrestricted replication access are common gaps introduced at setup and never revisited.
- Query flooding: Expensive wildcard searches sent repeatedly can exhaust server CPU and memory, degrading directory service for everyone.
- LDAP referral abuse: A client that blindly follows referrals to untrusted servers may hand over its bind DN credentials in the process.
LDAP injection: The security risk you can't ignore
One of the most serious security risks associated with this protocol is LDAP injection. This is when a malicious user tries to manipulate an LDAP query by adding characters to an application's fields. If the application doesn't check the input carefully before passing it to the LDAP server, the attacker can change the query's logic. They can then potentially bypass the authentication and gain unauthorized access to information.
LDAP management with ADManager Plus
ADManager Plus is a tool that simplifies LDAP management. It is a centralized platform to manage Active Directory objects such as users, computers, and groups. It enables automated user provisioning and deprovisioning, and provides visibility into the directory data. You can manage user accounts, clean up stale entries, delegate administrative tasks, and enforce access controls. With ADManager Plus, you can manage your directory without writing a single LDAP query.
FAQ
1. What is LDAP in simple terms?
LDAP is a protocol that applications use to communicate with a directory service. It lets them search for users, verify credentials, and retrieve information like group memberships from a central directory.
2. What is the difference between LDAP and LDAPS?
LDAP uses port 389 and transmits data in plaintext, while LDAPS encrypts all communication over port 636. For any environment handling sensitive identity data, LDAPS is always the preferred choice.
3. What is an LDAP bind?
A bind is the operation an LDAP client performs to authenticate itself to the server. It involves presenting a DN and a password. A successful bind establishes an authenticated session while a failed one denies access.
4. What is the difference between LDAP and Active Directory?
LDAP is a protocol. It is a set of rules for how to communicate with a directory service. Active Directory is a directory service built by Microsoft that uses LDAP as one of its communication protocols.
5. Is LDAP secure?
LDAP on its own is not secure. The standard LDAP on port 389 transmits credentials in plaintext, which can be intercepted on the network. LDAP becomes secure when combined with TLS encryption, either through LDAPS on port 636 or STARTTLS on port 389 with enforcement on both ends. Beyond encryption, security also depends on disabling anonymous binding, applying least-privilege ACLs, sanitizing input to prevent LDAP injection, and enforcing account lockout policies.
6. What is a DN in LDAP?
A distinguished name (DN) is the full, unique path that identifies an entry's location in the directory tree. It is made up of a series of attribute-value pairs read from the most specific (leftmost) to the least specific (rightmost). For example, cn=Jane Smith, ou=Marketing, dc=company, dc=com tells you that Jane Smith is in the Marketing organizational unit within the company.com domain. No two entries in a directory can have the same DN.
7. What is a bind DN in an LDAP configuration?
A bind DN is the DN of the account an application uses to authenticate itself to the LDAP server. When you configure an application to connect to LDAP, you typically provide a bind DN and a password. The application presents these credentials in a bind operation to establish an authenticated session before it can query the directory. Best practice is to use a dedicated, read-only service account as the bind DN rather than a privileged directory account.
8. How do I test LDAP connectivity?
The quickest way is to use the ldapsearch command: ldapsearch -H ldap://your-server:389 -x -b "" -s base for standard LDAP, or ldapsearch -H ldaps://your-server:636 -x -b "" -s base for LDAPS. You can also use Test-NetConnection -ComputerName your-server -Port 389 in PowerShell to check if the port is reachable. If the connection times out, the issue is typically a firewall rule, the LDAP service not running, or the server not listening on that port.
