Term · 8. Connectors & Integration
LDAP LDAP
LDAP (Lightweight Directory Access Protocol) is an open protocol for querying and modifying directory services over IP — the standard way applications read user, group and device records from directories such as Active Directory or OpenLDAP. It underpins centralized authentication and lookups in most enterprises. Always run it over TLS (LDAPS), since plain LDAP transmits credentials in clear text.
Definition
Lightweight Directory Access Protocol (RFC 4511) — TCP/IP protocol for accessing directory services. Foundation of enterprise directories (Active Directory, OpenLDAP, 389 Directory, Apache DS). Used for authentication queries, user lookups, group membership checks. Increasingly replaced by SCIM 2.0 for provisioning and OIDC for authentication.
- Synonyms
-
- LDAP
- Application
- Modern usage: legacy app authentication (LDAP bind), directory queries, federation with IdPs (read-only mirror). Major LDAP attacks: LDAP injection, anonymous bind exposure, Pass-the-Hash via LDAP.
- Standards & regulations
-
- RFC 4510 «The Lightweight Directory Access Protocol (LDAP) is an Internet protocol for accessing distributed directory services that act in accordance with X.500 data and service models.»
- RFC 4511 «RFC 4511 specifies the LDAP protocol — directory operations (bind, search, modify, add, delete) for accessing X.500 directory models over TCP/IP.»
- RFC 4513 «The Lightweight Directory Access Protocol (LDAP) [RFC4510] is a powerful protocol for accessing directories. It offers means of searching, retrieving, and manipulating directory content and ways to ac»
- RFC 4516 «LDAP is the Lightweight Directory Access Protocol [RFC4510]. This document specifies the LDAP URL format for version 3 of LDAP and clarifies how LDAP URLs are resolved.»
- RFC 4521 «The Lightweight Directory Access Protocol (LDAP) is extensible. It provides mechanisms for adding new operations, extending existing operations, and expanding user and system schemas.»
- Sources
-
- LDAP — RFC 4511 (The Protocol) primary source
- LDAP — RFC 4510 (Technical Specification Roadmap) industry commentary
Related terms
-
Kerberos
Network authentication protocol developed at MIT (Kerberos v5: IETF RFC 4120, 2005) using symmetric-key cryptography and …
-
Active Directory (AD)
Microsoft's enterprise directory service (since Windows 2000 Server) — central repository for user accounts, computer ac …
-
Application Programming Interface (API)
Defined interface allowing software components to interact — increasingly the primary integration mechanism for cloud-na …
-
AuthZEN
OpenID Foundation working group standardising a uniform API for authorization decisions across heterogeneous Policy Deci …
-
Availability
Availability — property of being accessible and usable on demand by an authorized entity. One of the three core informat …
-
Decentralized Identifiers (DID)
W3C standard (DID v1.0, 2022) for globally unique identifiers controlled by the identity subject, not a central authorit …
Frequently asked questions
What is LDAP used for?
LDAP centralizes identity data: applications query a directory over LDAP to authenticate users, resolve group membership and look up attributes like email or department. Active Directory exposes an LDAP interface, which is why so many tools integrate with AD via LDAP.
Is LDAP an authentication protocol?
LDAP can authenticate a user via a bind operation (checking a username and password against the directory), but it is primarily a directory access protocol. For modern SSO you usually pair the directory with SAML or OIDC rather than authenticating apps directly over LDAP.
LDAP vs Active Directory?
LDAP is the protocol; Active Directory is Microsoft's directory service that speaks LDAP (plus Kerberos and more). OpenLDAP and 389 Directory Server are other directories that implement LDAP. LDAP is the language; the directory is the system.