By Vince Lujan Posted May 23, 2018
The Lightweight Directory Access Protocol, or LDAP for short, is one of the core protocols that was developed for directory services. According to Chron.com, LDAP is used to distribute lists of information organized into directory information trees, which are stored within an LDAP database. However, in order to access information stored within an LDAP database, the user must first authenticate their identity. What is LDAP authentication? Continue reading for the answer to this question, and to learn how the JumpCloud® Directory-as-a-Service®platform can deliver LDAP authentication as a cloud-based service.
Origins of LDAP
Before we define what LDAP authentication is, we should talk about the significance of LDAP as a whole. According to Tim Howes, co-inventor of the LDAP protocol, LDAP was developed at the University of Michigan to initially replace DAP (the Directory Access Protocol) and provide low-overhead access to the X.500 Directory – the forerunner directory service that LDAP would eventually replace.
“I was in a group of young upstarts who were trying to bring Unix and the Internet to campus. The Internet was just emerging, and the International Organization for Standardization (ISO) was creating standards for everything related to the Internet, including email and directory services. So, we were working with X.500, which was ISO’s standard for directory services. At that time, I was also working for the University’s information technology division. I was assigned this project to deploy an X.500 directory for the campus, which I completed, but I quickly learned that it was way too heavy of a protocol and too complicated for the machines that were on most people’s desktops. LDAP came out of my desire to do something a little lighter weight in order to accommodate the Macs and PCs that were on everybody’s desktop.” – Tim Howes
LDAP has been highly successful ever since it was first introduced in 1993. In fact, LDAP.v3 became the Internet standard for directory services in 1997, according to Wikipedia. LDAP also inspired the creation of OpenLDAP™, the leading open source directory services platform, and formed the foundation for Microsoft®Active Directory® (AD) a few years later. LDAP is even a core aspect of modern cloud directories like JumpCloud Directory-as-a-Service. So, it’s safe to assume that LDAP authentication will be a foundational element of identity management for years to come.
Basic LDAP Authentication and Common Challenges
LDAP authentication follows the client/server model. In this scenario, the client is generally an LDAP-ready system or application that is requesting information from an associated LDAP database and the server is, of course, the LDAP server. The server side of LDAP is a database that has a flexible schema. In other words, not only can LDAP store username and password information, but it can also store a variety of attributes including address, telephone number, group associations, and more. As a result, a common LDAP use case is to store core user identities.
In doing so, IT can point LDAP-enabled systems and applications (for example) to an associated LDAP directory database, which acts as the source of truth for authenticating user access. So, how does LDAP authentication between a client and server work? In short, a client sends a request for information stored within an LDAP database along with the user’s credentials to an LDAP server. The LDAP server then authenticates the credentials submitted by the user against their core user identity, which is stored in the LDAP database. If the credentials submitted by the user match the credentials associated with their core user identity that is stored within the LDAP database, the client is granted access and receives the requested information. If not, the client is denied access to the LDAP database.
While LDAP authentication has certainly proven to be effective, the amount of time required to implement and customize LDAP-based infrastructure to meet a modern organization’s identity management needs can be significant. Historically, LDAP has also been an on-prem implementation, requiring dedicated servers that must to be integrated into an organization’s overall identity management infrastructure (which has also historically been on-prem). This type of setup can be difficult to achieve, especially for smaller or cloud-forward IT organizations. After all, most modern organizations would like to shift their entire on-prem identity management infrastructure to the cloud. However, as more organizations replace their traditional on-prem infrastructure with cloud alternatives, the question becomes, “How do I provide LDAP authentication without anything on-prem?”
Cloud-Based LDAP Authentication
Fortunately, a next generation cloud directory has recently emerged that can provide LDAP authentication as a cloud-based service. It’s called JumpCloud Directory-as-a-Service, and it can not only provide cloud-based LDAP authentication, but it can also securely manage and connect users to their systems, applications, files, and networks without anything on-prem. This is because the JumpCloud platform has taken a cross-platform (e.g., Windows®, macOS®, Linux®), vendor neutral (e.g., Microsoft®, Google®, AWS®), protocol driven approach (e.g., LDAP, SAML, RADIUS, OAuth, and more) to managing modern IT networks. The end result is that IT organizations are free to leverage the best resources for the business, knowing they can effectively manage it all with JumpCloud Directory-as-a-Service.
Learn More about JumpCloud LDAP Authentication
We hope this was helpful, but if you’re still asking, “What is LDAP Authentication?” We invite you to sign up for a free account or schedule a demo to see JumpCloud LDAP authentication in action. We offer 10 free users to help you explore the full functionality of our platform, including JumpCloud LDAP, at no cost. Of course, you are also more than welcome to contact the JumpCloud team if you have any questions.
General LDAP FAQ
How does LDAP work with Active Directory?
LDAP provides a means to manage user and group membership stored in Active Directory. LDAP is a protocol to authenticate and authorize granular access to IT resources, while Active Directory is a database of user and group information.
What is LDAP injection?
LDAP injection occurs when a bad actor uses manipulated LDAP code to modify or divulge sensitive user data from LDAP servers. Prevent malicious injections with LDAP filter validation and by checking the LDAP client applications.
Where do we use LDAP?
LDAP is used as an authentication protocol for directory services. We use LDAP to authenticate users to on-prem and web applications, NAS devices, and SAMBA file servers.
Is LDAP secure?
In order to secure communications, LDAP transactions must be encrypted using an SSL/TLS connection. To set up, use either LDAPS on port 636 or StartTLS on the standard LDAP 389 port.
What is the difference between Kerberos and LDAP?
While both are network protocols used for authentication (verification of a user’s ID), LDAP differs in that it can also authorize (determine access permissions) clients and store user and group information.