By Ryan Squires Posted January 28, 2020
LDAP has a long history, but much of that information isn’t relevant to how LDAP is most often used now: user authentication. So instead of diving into the past, we thought it might help readers to glance at the quick guide to LDAP to understand the basics.
What is LDAP?
LDAP powers authentication to help make sure the right people access company resources. These varied resources include systems (Windows®, macOS®, and Linux®), although system authentication with LDAP can be painful, legacy applications, files, and even WiFi networks (though RADIUS is the preferred protocol for network authentication).
The protocol essentially works like this: A user inputs their username and password to enter a given resource. To fulfill that request, the LDAP protocol takes the username and password and checks it against a database to make sure they’re correct. If the values match, the user authenticates to the requested service, which just basically means they’re allowed to enter whatever resource they were requesting. At the same time, a process called authorization determines what the user can access while in that resource.
What Are the Benefits of LDAP?
- Open Source: It doesn’t cost anything to download the most popular implementation of LDAP — OpenLDAP.
- Standardized: LDAP was ratified as an Internet Engineering Task Force (IETF) standard back in 1997 with RFC 2251. As such, the industry at large supports LDAP and will continue to do so.
- Flexible: Developers and IT admins utilize LDAP authentication for many different use cases including application and remote server authentication. And because it‘s been used in so many different ways, there is a community surrounding the protocol that helps people get the most out of it.
What are the Drawbacks of LDAP?
- Age: LDAP is old. Newer authentication protocols like SAML are built for modern, cloud-forward IT environments.
- On-Prem: LDAP is traditionally set up on-prem with an OpenLDAP server, and it is not an easy undertaking. For organizations moving to the cloud, having to set up an on-prem authentication mechanism is less than ideal.
- Expertise: LDAP setup and maintenance generally requires an expert. People with this type of technical knowledge can be difficult to find and expensive.
What are the Use Cases for LDAP Authentication?
- Technical Applications: Applications like Jenkins, Docker, OpenVPN®, and the Atlassian® suite make use of LDAP for their authentication needs.
- Server Infrastructure: Servers both on-prem and in the cloud (like AWS®) leverage LDAP to authenticate users to them.
- File Servers: Like the two previous examples, file servers like QNAP, Synology®, and FreeNAS each use LDAP.
- Networking Equipment: A much more limited use case due to RADIUS, but some organizations do use LDAP for network access.
How is LDAP Packaged?
- Active Directory® (AD): AD uses LDAP (and Kerberos) to authenticate users to IT resources such as systems, applications, and file servers. As a Microsoft® product, it is best suited for Windows-based environments. IT admins must pay to license Windows Server which includes AD. This represents the traditional licensing model that IT organizations know well with Microsoft products. Finally, a VPN is needed to authenticate remote users to on-prem resources.
- OpenLDAP: As noted previously, OpenLDAP doesn’t cost anything to download. Significant costs do surround the setup and ongoing management of the infrastructure, though. Because of its open-source roots, OpenLDAP works great with Linux- and Unix-based OSes, so you’ll find it in many DevOps environments. Like AD, you’ll need a VPN to authenticate to on-prem resources.
- LDAP-as-a-Service: This cloud-based LDAP option is vendor agnostic and works with a wide range of IT resources. With LDAP-as-a-Service, there is no need for a VPN, just point your resources at the cloud-based server to authenticate and authorize users to their LDAP resources.
Ultimately, LDAP Provides Just a Piece
There are a significant number of needs beyond LDAP in today’s modern IT environments including system management, multi-factor authentication (MFA), web application single sign-on and a horde of others. So for many, having an entire server dedicated to authentication might be overkill, especially when so many other needs are present. That’s why cloud-forward admins are shifting to the cloud-based model where they aren’t forced to continually maintain on-prem implementations for authentication. It makes sense in a world where different resources benefit from alternative authentication methodologies.
Without going into too many specifics, we hope this quick guide to LDAP helped you get a better understanding of some of the basic aspects of LDAP. If you want to see how a cloud-based solution simplifies LDAP setup procedures, watch the video below.