LDAP (lightweight directory access protocol) is a protocol that facilitates directory management, authentication, and authorization. It was one of the first core directory protocols (invented in the early ʼ90s), and it is still in use today. However, the typical IT environment has changed considerably in the last few decades, and LDAP has followed suit. What was once exclusively an on-premise protocol is now available both on-premises and in the cloud.
Online LDAP allows IT admins to reap the benefits of the protocol without complex configuration or additional on-premises server requirements. That way, they can secure user authentication to legacy applications, Samba file servers and NAS appliances, and other resources that require a backing LDAP directory — all from the cloud.
This blog will explore the migration of LDAP from on-premise to the cloud and how online LDAP changes the protocol’s manageability and role in the modern directory.
How LDAP Is Evolving
LDAP is a highly technical protocol, and managing it in-house requires considerable time and expertise — and that’s not to mention the drain on resources from hosting an LDAP server on-prem. Moving LDAP to the cloud relieves the burden of both hosting and managing an LDAP instance. Read on to explore the challenges of managing traditional LDAP and how LDAP is evolving to address these challenges and accommodate changing needs.
Why Is Traditional LDAP So Hard to Manage?
While most LDAP directories, like OpenLDAP, are open source and require no software to purchase, they do require a hefty investment in both the server components and technical know-how. This is largely because the protocol is so open and flexible that admins need a strong baseline of knowledge to use it.
OpenLDAP, for example, is so open-ended that it allows you to create and customize schemas, which define everything from the directory structure to object classification and syntax. This may be highly useful for someone with the expertise and time to set up a directory from scratch, but it can be too open-ended for other admins who just want to set up a directory that works. In short, LDAP provides a lot of options with little guidance or structure to contextualize them.
To complicate things further, maintaining an on-prem directory can be tedious and challenging. Making a change to the schema after the directory has been built, for example, might cause domino-effect breakage throughout the directory environment. Managing precarious structures with a high degree of flexibility and little supporting guidance can cause serious problems in the environment.
In addition, LDAP programs like OpenLDAP are generally executed and managed at the command line; admins that want a more interactive and visual experience would need to supplement their LDAP implementation with a third-party GUI wrapper.
And that’s just the half of it. Managing your own LDAP instance also means hosting and managing an LDAP server. That includes keeping up with patches, responding to outages, and paying to house the server somewhere safe with reliable and secure backups in place. And don’t forget the costs of upgrading the hardware itself every few years and hiring an engineer with enough expertise to set up, configure, maintain, and ultimately manage it.
The time and expenses associated with hosting your own LDAP directory add up; after a few years, they’re rarely lower than the costs of outsourcing to an online LDAP instance. To play around with the associated costs of hosting infrastructure over time, check out this interactive TCO calculator.
How Online LDAP Solves the Problem
These challenges aren’t unique to LDAP: in general, businesses have begun to realize that hosting their own infrastructure is rarely more cost and resource-effective than outsourcing them to the cloud. As the cloud replaces on-prem infrastructure as the business norm, LDAP has followed suit.
Cloud-based LDAP has emerged as an alternative to on-prem LDAP for IT teams who want to access LDAP servers online, as needed. This removes the heavy lifting of on-prem LDAP: instead of hosting and managing a server in-house, organizations can simply use a cloud-based one as needed. And many cloud-based LDAP instances include a more user-friendly UI to assist with implementation and configuration. Outsourcing LDAP to the cloud allows IT teams to focus on driving strategic initiatives and enabling their users to work securely from anywhere. Frankly, there is little reason to run your own LDAP infrastructure when you can do so from the cloud.
What Is LDAP’s Role in the Directory Today?
The types of resources that organizations have to manage have diversified considerably. Now, the modern business must manage everything from on-premises systems to mobile devices, wireless networks, and web-based applications, rather than the traditional, fully on-prem environment. To accommodate this diversification, one directory protocol no longer suffices; instead, the modern directory uses multiple protocols, like SAML, OAuth, and RADIUS. These new protocols don’t replace LDAP; rather, they expand a directory’s reach by allowing the directory to manage more types of resources.
LDAP is still often the protocol of choice for many open source technical solutions, like Docker, Kubernetes, Jenkins, and thousands of others. Also, because LDAP has been around for so long, many popular commercial applications also standardize around LDAP as their backend authentication protocol. Additionally, Linux server authentication commonly leverages LDAP, usually through OpenLDAP, as well.
Online LDAP Within an Open Directory
Many platforms offer online LDAP services; however, they vary in capabilities and comprehensiveness. Some combine LDAP with many other functionalities, like identity and access management (IAM), mobile device management (MDM), and more. It’s worth considering whether an online LDAP offering can meet any of your organization’s other identity and access management needs. To evaluate your organization’s needs, you can use the following questions:
- What current resources in your environment require LDAP (i.e., applications and servers)?
- Are your current LDAP binds secure?
- What other resources and protocols do you need to support (i.e., SAML and RADIUS)?
- Can you find an all-in-one solution that meets not only your LDAP needs but also other IT needs, including identity federation and system management?
If you discover that your organization has needs beyond cloud LDAP — such as SAML-backed applications, RADIUS networks, or system management needs — a full-suite cloud directory service may better suit your environment.
JumpCloud, for example, offers an online LDAP platform that eliminates the pain of maintaining your own LDAP setup — but this LDAP service is one segment of its broader open directory platform. JumpCloud also offers a comprehensive directory service that spans IAM, MDM, access management, and more. With JumpCloud’s open directory, your users can connect securely from anywhere and with any trusted device, allowing you and your team to work on your terms — not your platform’s.