LDAP is the standard TCP/IP stack protocol that is used to store and query information from a hierarchical directory. It is an alternative to X.500 Directory service protocol which is more resource-intensive. LDAP is often used for SSO authentication and storage. By standard LDAP uses TCP port 389 for unencrypted communication and TLS port 636 over an encrypted channel.
How Does LDAP work?
- Client starts an LDAP session through the dedicated TCP port.
- (Optional) Read and modify the session option values.
- Establish a connection to the LDAP server or explicitly bind to the server with a privileged authenticated client using one of the binding functions.
- Submit a query to an email server or establish a connection to a printer. The server receives the query and returns the corresponding information to the user.
- After completion, close the connection to the LDAP server.
LDAP unlike most modern http-based protocols, uses persistent connections which can live for days when communication with a directory server.
Advantages of Using LDAP
- It is a mature protocol which keeps on evolving. It is a critical component of most large enterprises therefore the need to maintain revisions and update standards of the protocol.
- LDAP is a lightweight version of the X.500 protocol but is also very lightweight compared to other modern day protocols.
- LDAP is secure and is often used to store usernames, passwords and other sensitive information. But its security is subject to its implementation. It is important to follow best practices when adopting this protocol such as:
- establishing an access control policy.
- maintaining multiple copies of the directory data.
- encrypting sensitive information such as passwords.
Components of LDAP
Attribute: the data in the LDAP system is stored in key-value pairs known as attributes. You can set an attributes value by separating the name and the value using a colon and a space. e.g.
mail: johndoe@gmail.com
Use an equal's sign to refer to an attribute and its data without setting it. e.g.
mail=johndoe@gmail.com
The most commonly used attributes include:
- ou: Organizational Unit
- _ dn_: distinguished name
- cn: common name
- description
- dc: domain component
- givenName: first name
- mail: e-mail address
- sn: surname
Entries: an entry is a collection of attributes which are associated to or describe something. An entry could be a user in your system. Think of it as a row in a relational database. Each entry consists of:
- a distinguished name (uniquely identifies a specific entry in the DIT hierarchy
- a collection of attributes (they hold the data for the entry)
- a collection of object classes (they indicate what kind of object an entry represents e.g. information about a device or person)
dn: ou=Users,dc=example,dc=com,uid=jd001
objectClass: EntUsers
cn: Jane Doe
sn: Doe
mail: jdoe@example.com
uid: jd001
Search Filters: used to define the criteria for identifying entries that contain certain kinds of information.
LDAP URLS: this URL contains different pieces of information that can reference a directory server or a search criteria.
Primary Operators of LDAP
- Add: Insert a new entry into the directory.
- Modify: change existing directory entries.
- Bind: authenticate and connect the LDAP client to the server.
- Delete: Remove directory entries.
LDAP is used by Microsoft's Active Directory and other directory servers such as OpenLDAP and Red Hat Directory Server. To setup LDAP within an enterprise, you need a directory server, users with different permissions, directory data that can be queried and an LDAP client application.
-
Top comments (0)