LDAP (Lightweight Directory Access Protocol)
Active Directory supports LDAP for directory lookups.
LDAP is an open-source and cross-platform protocol used for authentication against various directory services (such as AD).
LDAP uses port 389, and LDAP over SSL (LDAPS) uses port 636
Active Directory is the database that stores user accounts, passwords, and other network information. LDAP is the protocol that applications and systems use to ask AD for information or verify credentials.
An LDAP session begins by first connecting to an LDAP server, also known as a Directory System Agent. The Domain Controller in AD actively listens for LDAP requests, such as security authentication requests.
LDAP Authentication
LDAP is set up to authenticate credentials against AD using a BIND operation to set the authentication state for an LDAP session. LDAP authentication messages are sent in cleartext by default so anyone can sniff out LDAP messages on the internal network. It is recommended to use TLS encryption or similar to safeguard this information in transit.
There are two types of LDAP authentication.
1. Simple Authentication
This includes anonymous authentication, unauthenticated authentication, and username/password authentication.
Simple authentication means that a username and password create a BIND request to authenticate to the LDAP server. Credentials are sent in cleartext (if not encrypted)
2. SASL Authentication
Simple Authentication and Security Layer (SASL) framework uses other authentication services, such as Kerberos. Works via challenge-response. Separates authentication from LDAP itself.
OpenLDAP
OpenLDAP is an open-source implementation of the LDAP protocol. Provides an LDAP server and client tools. Stores data in the standard LDAP format.
Can be used on Linux, Unix, and other platforms.
| Feature | LDAP | Kerberos |
|---|---|---|
| Purpose | Query directory info, verify credentials | Provide secure authentication (ticket-based) |
| How it works | Ask the directory: is this user valid? | Prove you are who you say you are without sending passwords |
| Encryption | Usually cleartext unless using LDAPS | Encrypted by default using tickets |
| Used for | Reading/writing user info, checking passwords, groups, etc. | Authenticating users and services securely across the network |