Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
What is LDAP and How Does it Work? | Ping Identity
Identity Fundamentals
What is Identity and Access Management (IAM)?
Identity Providers and Service Providers
Centralized Identity Management
What is Centralized Identity Management?
How Does Centralized Identity Management Work?
Centralized Identity Standards
SAML
OAuth
OpenID Connect (OIDC)
Decentralized Identity Management
What is Decentralized Identity Management?
How Does Decentralized Identity Management Work?
How is Decentralized Identity Different?
Decentralized Identity Standards
Common Terms
Zero Trust Security
Orchestration
Authentication
Single-factor, Two-factor, and Multi-factor Authentication
Passwordless Authentication
FIDO (Fast Identity Online)
Risk-based Authentication
Certificate-based Authentication
Token-based Authentication
Single Sign-On (SSO)
Federated Identity Management
Continuous Authentication
CHAP Authentication
Authorization
Authorization Methods
User and Account Provisioning
Single Sign-on with a Directory
Dynamic Authorization
Protocols
What Is B2B Identity and Access Management (B2B IAM)
Expand All | Collapse All

What Is LDAP?


Lightweight Directory Access Protocol (LDAP) is an open and cross-platform language that is used between a client and a server over a persistent connection. It defines how clients should encode requests and how servers should encode responses.

 

LDAP is a secure way to authenticate users because it uses stringent encoding rules that don't allow users to create weak passwords.

 

The use case for the creation of LDAP was to provide a secure authentication tool for enterprises, but it has other functions, too. It can be used in a network’s active directory, where it encodes, stores, accesses, and manages user and device information (and other data). Types of data stored are usernames and passwords, account details, printer connections, email addresses, and other sensitive data.

 

Specific functions include:

 

  • Storing a systematic set of records and data in a hierarchical structure

  • Searching and retrieving data within that structure that matches a given set of criteria

  • Authenticating and authorizing users and devices

  • Organizing groups

  • Creating policy

 

How LDAP Works with Authentication

To start an LDAP authentication session, a client needs to connect to the server. After connection is established, the client and the server can exchange packets of data. When a user request comes into the server, their credentials are authenticated against data that was previously entered by the administrators. If the data matches, they gain access. If it doesn’t, they’re denied access.

 

EXAMPLE

  • Patricia enters her name and password into a web application.

  • Her request for access gets sent to a service, which uses LDAP-encoded data to match her credentials with the credentials already in its database.    

  • If Patricia’s username or password don’t match the credentials stored in the LDAP-encoded database, LDAP sends back an error message.

  • If Patricia’s credentials match the credentials in the LDAP-based database, the service authenticates her and she gains access.

 

 

How LDAP Works with Non-authentication Requests

The LDAP directory on the server is set up in a treelike, or hierarchical, structure. When a user requests information, the database doesn’t need to know the location of the data. It uses LDAP to search for the data, organizations, individuals, or resources (such as files or devices) with a top-down approach. It works its way down the tree until the requested information is found. For further granularity, each group in the tree can also have its own hierarchy.

 

A graphic depicts the hierarchy of the LDAP directory At the top is a website Examplecom which flows down to four nodes 1 Groups which flows to Support flowing to Jane Doe and John Doe Sales and Accounting 2 Printers 3 Computers 4 and User Accounts which flows to Main Office flowing to John Doe and Remote flowing to Jane Doe

 

Why Do We Need LDAP?

LDAP simplifies the process of identifying one employee amongst thousands. Each employee has their own data stored in LDAP language, along with their permissions. There are apps, services, and systems they are allowed to have access to, and there are other areas that they don’t have access to. LDAP keeps track of this so your administrators don’t have to. The security policy can live in the domain controller so you can define who has access to what (such as a file, a device, or permission to change their desktop background or download a file).

 

EXAMPLE

Gordon wants to share a file with some employees, but not all employees. To do so, Gordon could create a special group in the hierarchy. Based on what he needs to share, he decides to create a group for accounting department employees. For that group only, Gordon can add a security policy that only people in the accounting department can access this type of Excel file.

 

If he wanted to get more specific, Gordon could also create a hierarchy within the accounting department group. He could create two subgroups that narrow permissions down even more: Group A and Group B. Since Gordon runs the accounting group, he can also hand out permissions to subgroups that he creates. He can assign permissions to one, a few, or many people to have access to a particular set of files, devices, etc. 

 

This ability to create groups and subgroups in an LDAP hierarchical structure streamlines the permissions process because the accounting department employee only has to go to Gordon for permission to access files and devices and not all the way back to the main network administrator.

 

Conclusion

LDAP is a way to talk to an active directory. It provides a standardized way to store, identify, and define data in an organized hierarchical way. When the user queries the LDAP database for a specific object, it walks down the directory tree to find that object for the requestor. All permissions are contained within the various domains, so access can be quickly allowed or denied. There are many other ways LDAP can be used to streamline data storage, access, and retrieval, which makes it a very popular option for enterprises today.

Related Resources

Web

Lightweight Directory Access Protocol

    

Capability
Directory

    

Start Today

Contact Sales

sales@pingidentity.com

See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.