LDAP 101

4 min readJul 4, 2021

Lightweight Directory Access Protocol

LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate data about organizations, individuals, and other resources such as files and devices in a network — whether on the public Internet or on a corporate Intranet. — Alexander S. Gillis (https://www.techtarget.com/)
LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. It’s often used for authentication and storing information about users, groups, and applications, but an LDAP directory server is a fairly general-purpose data store and can be used in a wide variety of applications. (https://ldap.com/)

We can use LDAP to access resources in the company directory such as phone directory or email directory. We can use LDAP to read, add, modify, and delete data from the directory.

When and Why we choose LDAP?

There are several types of data store in this world including LDAP, hence we need to know which type satisfies our needs.

LDAP is an open standard protocol, The protocol is well-defined and explicitly specified in the RF4511 publication. It explains how the client should encode requests, how the server should encode responses, attributes, operations (add, modify, bind, etc). As a renowned protocol, we can implement LDAP without a lot of extra configuration. We only need to know the hostname to connect to the LDAP server and implement some features.

LDAP is mature but evolving. The current version of LDAP is LDAPv3, which was officially released in December 1997. However, because LDAP is a critical component of most large enterprises and internet-scale companies, there is a lot of competition between vendors that keep driving performance, scalability, and innovation forward. So, we dont need to worry if we choose up to date and reliable vendors like OpenLDAP developed by Apple Inc and Apache Directory Server developed by Apache

LDAP is lightweight. No need to mention, the name itself already told us about this. It’s technically a lightweight version of X.500, but it’s also very lightweight in comparison to most other “modern” protocols. LDAP messages are encoded with ASN.1 BER, which is a compact binary format that is very efficient to encode and decode. It’s much more streamlined than something like JSON or XML over HTTP. LDAP also uses persistent connections for communicating with a directory server. Whereas many modern HTTP-based protocols use relatively short-lived connections, LDAP connections can live for hours or days or even longer. This can make a big difference when it comes to performance and scalability because establishing a new connection is significantly more expensive than using one that’s already available, especially when using secure connections that require negotiating or resuming a TLS session. And because the server can associate state information with the connection, it’s not necessary for the client to include identifying information with each request, which makes them even smaller and more efficient.

LDAP is Secure. LDAP directory servers are often used as an authentication repository and are often used to store sensitive information like passwords and other account details. LDAP supports a variety of authentication types through SASL(Simple Authentication Security Layer) as a gatekeeper to access the directory.

THE Architecture

Imagine a TREE when we build a LDAP server. A tree has a big trunk, trunk grow into branches, and more branches that connect to leaves. For example, let’s take a look at our imaginary company.

Let’s simply look at the most general things of our company. This company physically built in this world, on LDAP server world means internet and our company built on a domain. We name our root as “dc” or domain code.

Root = domain / “dc”

Next, what are we going to store in our company LDAP server? For now, we are going to store our employee data and our company servers. So we have our first two branches employee/users and servers. We name our branches as “ou” or organizational unit.

Branches = “ou”

Lastly, we have to determine what data are we going to store? We can store our employee name, age, email, password, etc. We name our leaves as “cn” or common name and “uid” or user id if the type is user and can be used for authorization. We can use email or name for the uid and server name for the common name.