Lightweight Directory Access Protocol (LDAP) is an open and cross-platform language that is used between a client and a server over a persistent connection. It defines how clients should encode requests and how servers should encode responses.
LDAP is a secure way to authenticate users because it uses stringent encoding rules that don't allow users to create weak passwords.
The use case for the creation of LDAP was to provide a secure authentication tool for enterprises, but it has other functions, too. It can be used in a network’s active directory, where it encodes, stores, accesses, and manages user and device information (and other data). Types of data stored are usernames and passwords, account details, printer connections, email addresses, and other sensitive data.
Specific functions include:
Storing a systematic set of records and data in a hierarchical structure
Searching and retrieving data within that structure that matches a given set of criteria
Authenticating and authorizing users and devices
Organizing groups
Creating policy
To start an LDAP authentication session, a client needs to connect to the server. After connection is established, the client and the server can exchange packets of data. When a user request comes into the server, their credentials are authenticated against data that was previously entered by the administrators. If the data matches, they gain access. If it doesn’t, they’re denied access.
EXAMPLE
Patricia enters her name and password into a web application.
Her request for access gets sent to a service, which uses LDAP-encoded data to match her credentials with the credentials already in its database.
If Patricia’s username or password don’t match the credentials stored in the LDAP-encoded database, LDAP sends back an error message.
If Patricia’s credentials match the credentials in the LDAP-based database, the service authenticates her and she gains access.
The LDAP directory on the server is set up in a treelike, or hierarchical, structure. When a user requests information, the database doesn’t need to know the location of the data. It uses LDAP to search for the data, organizations, individuals, or resources (such as files or devices) with a top-down approach. It works its way down the tree until the requested information is found. For further granularity, each group in the tree can also have its own hierarchy.
LDAP simplifies the process of identifying one employee amongst thousands. Each employee has their own data stored in LDAP language, along with their permissions. There are apps, services, and systems they are allowed to have access to, and there are other areas that they don’t have access to. LDAP keeps track of this so your administrators don’t have to. The security policy can live in the domain controller so you can define who has access to what (such as a file, a device, or permission to change their desktop background or download a file).
EXAMPLE
Gordon wants to share a file with some employees, but not all employees. To do so, Gordon could create a special group in the hierarchy. Based on what he needs to share, he decides to create a group for accounting department employees. For that group only, Gordon can add a security policy that only people in the accounting department can access this type of Excel file.
If he wanted to get more specific, Gordon could also create a hierarchy within the accounting department group. He could create two subgroups that narrow permissions down even more: Group A and Group B. Since Gordon runs the accounting group, he can also hand out permissions to subgroups that he creates. He can assign permissions to one, a few, or many people to have access to a particular set of files, devices, etc.
This ability to create groups and subgroups in an LDAP hierarchical structure streamlines the permissions process because the accounting department employee only has to go to Gordon for permission to access files and devices and not all the way back to the main network administrator.
LDAP is a way to talk to an active directory. It provides a standardized way to store, identify, and define data in an organized hierarchical way. When the user queries the LDAP database for a specific object, it walks down the directory tree to find that object for the requestor. All permissions are contained within the various domains, so access can be quickly allowed or denied. There are many other ways LDAP can be used to streamline data storage, access, and retrieval, which makes it a very popular option for enterprises today.
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a free demo
Thank you! Keep an eye on your inbox. We’ll be in touch soon.