LDAP (LDAP)
LDAP is the corporate phone book for your IT infrastructure. When you log into a company computer, LDAP is what the system checks: it looks up your username in a giant directory, verifies your password, and confirms which groups you belong to (which determines what you can access). That same directory is used by your email server to look up addresses, by your VPN to grant access, and by every internal application that needs to know who you are.
Lightweight Directory Access Protocol (LDAP), defined in RFC 4511, is a client-server protocol for accessing and maintaining distributed directory information services. It operates over TCP, using port 389 (plaintext/STARTTLS) and port 636 (LDAPS, TLS-wrapped).
Directory Information Tree (DIT): Data is organized in a hierarchical tree. Each node is an entry identified by a Distinguished Name (DN), built from Relative Distinguished Names (RDNs):
cn=Alice Smith,ou=Engineering,dc=example,dc=com| RDN | Attribute | Meaning |
|---|---|---|
cn | Common Name | Object’s name |
ou | Organizational Unit | Group or department |
dc | Domain Component | DNS domain segment |
uid | User ID | Login name |
Core objectClasses (schema types that define available attributes):
inetOrgPerson: standard user withmail,telephoneNumber,jpegPhotoposixAccount: Linux account withuid,gid,homeDirectory,loginShellgroupOfNames: group withmemberattribute listing member DNs
LDAP operations:
| Operation | Description |
|---|---|
Bind | Authenticate as a DN with a password (or SASL mechanism) |
Search | Query the directory with a filter and scope |
Add | Create a new entry |
Modify | Change attributes on an existing entry |
Delete | Remove an entry |
Compare | Test if an attribute has a specific value |
Unbind | Close the connection |
Search filter syntax (RFC 4515):
(uid=alice)— equality match(mail=*@example.com)— substring match(&(objectClass=posixAccount)(uid=alice))— AND compound filter(|(cn=Alice)(cn=Bob))— OR compound filter
LDAP directory queries with ldapsearch
# Authenticate (bind) and search for a user entry
$ ldapsearch -H ldap://ldap.example.com \
-D "cn=admin,dc=example,dc=com" \
-W \
-b "dc=example,dc=com" \
"(uid=alice)"
# Output:
dn: cn=Alice Smith,ou=Engineering,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Alice Smith
uid: alice
mail: alice@example.com
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/alice
# Find all members of the "engineering" group
$ ldapsearch -H ldap://ldap.example.com \
-D "cn=admin,dc=example,dc=com" -W \
-b "ou=Groups,dc=example,dc=com" \
"(cn=engineering)" member
# Verify a user password (bind test -- returns 0 on success)
$ ldapwhoami -H ldap://ldap.example.com \
-D "uid=alice,ou=Engineering,dc=example,dc=com" \
-W
dn:uid=alice,ou=Engineering,dc=example,dc=com
# Check LDAP TLS certificate (LDAPS on port 636)
$ openssl s_client -connect ldap.example.com:636 -showcerts </dev/null 2>/dev/null \
| openssl x509 -noout -subject -datesMicrosoft Active Directory is the most widely deployed LDAP implementation. Under the hood, AD is an extended LDAP directory combined with Kerberos for authentication and DNS for service location. OpenLDAP is the standard open-source alternative and is widely used as the identity backbone in Linux-heavy environments. FreeIPA (used in Red Hat environments) packages OpenLDAP, Kerberos, and DNS together. In practice, direct LDAP integration is being displaced by SSO via SAML/OIDC for web applications, but LDAP remains the underlying authentication source that those identity providers query. Network devices (switches, firewalls, VPNs) commonly authenticate administrators via LDAP/RADIUS. The most common security mistake is using a service account with broad directory-read access and storing its password in plaintext configuration files. Prefer LDAP over TLS (port 636) exclusively in production; never send bind credentials over unencrypted LDAP on port 389.