LDAP: WHAT is it? WHY is it, & WHO Cares?

WHAT?

1. Lightweight Directory Access Protocol

2. DAP (Directory Access Protocol) is the “Heavyweight” version of LDAP

3. A server-side protocol and method of communication that allows anyone to locate data about organizations, individuals, files, devices and other resources on a network.

4. There’s alot of stuff on the internet and the LDAP protocol helps us easily find what we are looking for. LDAP is also used on corporate intranets.

5. Vendor-neutral

6. Consolidates existing services into a single directory that can be accessed by various vendors and clients (e.g. web browsers, email clients, email servers and applications)

7. Meant to be “read” and referenced more than “written to”. Think of a physical phone book with the white and yellow pages (you remember those?). The information in a phone book is meant to be searched and used by whoever is searching for it.

7. Exceptional search capabilities

LDAP is a useful access protocol for fast queries, searches, changes, and authorizations in distributed directory services.

WHY?

1. Before LDAP all your personal information would be stored in all the servers in your organization. If your organization has 4 servers that you need to access then your information would be in all of them. If any change needed to be made to your information, all 4 servers would need to be updated separately.

2. To make this terrible process easier system administrators would create one master server then create a script that would “push” an update to all the other servers on the network. Still too much work and lots of issues with real-time updating.

3. LDAP servers are a one-stop-shop for client information so businesses don’t need to keep user credentials in 4 different servers, then update 4 different servers when user information changes. LDAP does not push information, but servers are configured to refer to the LDAP directory when they need information.

WHO CARES?

1. The system and network administrators at Amazon, Walmart, Navy Federal, the Social Security Administration, and every other entity that collects and organizes client and user information cares about the LDAP protocol (and other protocols like it).

LDAP servers hold the authoritative infomation (e.g., information needed to authenticate users) about all users in a system. The LDAP server will allow cross-checking so that Kerberos (for example) can authenticate user credentials.

2. Servers and services like Active Directory use the LDAP protocol for customer management.

3. Google uses LDAP to return your secure search results.

3. Malicious attackers also “care” about LDAP because they can inject code (LDAP injection) into LDAP streams to obtain user information and privilege escalate.