{"id":44102,"date":"2021-06-08T12:30:00","date_gmt":"2021-06-08T16:30:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=44102"},"modified":"2024-07-08T09:09:39","modified_gmt":"2024-07-08T13:09:39","slug":"ldap-vs-ldaps","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/ldap-vs-ldaps","title":{"rendered":"LDAP vs. LDAPS: Securing Auth to Legacy Apps"},"content":{"rendered":"\n

Legacy application configurations may still use clear-text LDAP for some directory binds in a local environment, which was relatively harmless within the fortified LANs of yesteryear. Modern security baselines require encryption of all user credentials in transit to protect against password sniffing and other forms of credential theft<\/a>. Today, LDAP authentications are more often crossing the public internet within remote and hybrid environments. That requires adding the appropriate security controls.<\/p>\n\n\n\n

You may have heard that you need to configure legacy third-party apps to use Secure LDAP instead of clear-text LDAP. LDAPS (LDAP over SSL) and STARTTLS (LDAP over TLS) are both secure versions of LDAP that encrypt the authentication process. (Note that \u201cLDAPS\u201d is often used to denote LDAP over SSL, STARTTLS, and a Secure LDAP implementation.) <\/p>\n\n\n\n

Switching from LDAP to LDAPS involves taking a close look at your directory service events log, manually identifying and switching the ports that legacy apps are using to bind to the directory, extracting CA (certificate authority) certificates to create the secure bind, and continued monitoring. The process can be cumbersome and time-consuming, but it\u2019s doable \u2014 and, now more than ever, mandatory. <\/p>\n\n\n\n

Let\u2019s take a closer look at the LDAP protocol, what makes LDAPS and STARTTLS secure, and how to implement a secure authentication process for legacy applications.<\/p>\n\n\n\n

What Is LDAP? Essential Background   <\/h2>\n\n\n\n

LDAP (Lightweight Directory Access Protocol) is sometimes used as a synonym or shorthand for Microsoft Active Directory (AD). However, while much of AD\u2019s functionality is built on LDAP, they\u2019re not one and the same. AD leverages a proprietary version of Kerberos more often than LDAP to authenticate user access. LDAP is one of the protocols that many on-prem apps and other resources use to authenticate users against a core directory like AD or OpenLDAP.<\/p>\n\n\n\n

<\/p><\/div>

Note:<\/strong> \n

Here\u2019s a more in-depth look at how LDAP works<\/a>. If you want to hear more about the protocol straight from its co-creator, check out our interview with Tim Howes:<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n

\n