Please enable JavaScript.
Coggle requires JavaScript to display documents.
LDAP - Lightweight Directory Access Protocol - Coggle Diagram
LDAP - Lightweight Directory Access Protocol
What LDAP Is and Why It Exists
•
Definition
: LDAP is an open, vendor-neutral, standards-based network protocol for accessing and maintaining distributed directory information services over IP networks.
• Origin: Invented at the University of Michigan in 1993 as a lightweight
alternative to
X.500’s
DAP (Directory Access Protocol).
•
Goal
: Provide a fast, hierarchical, read-optimized store for identity-centric data (users, groups, devices, policies).
Core Architectural Concepts
• Directory Information Tree (DIT): Hierarchical namespace similar to a filesystem; nodes are entries.
• Entry: Collection of attributes, uniquely addressed by a Distinguished Name (DN).
• Attribute: Key–value pair; value can be single or multi-valued and typed (string, binary, etc.).
• Object Class: Defines which attributes an entry MUST and MAY contain.
• LDAP Server (Directory System Agent, DSA): The service that answers LDAP requests.
• LDAP Client (Directory User Agent, DUA): Any software issuing LDAP operations (e.g., auth daemon, email client).
Ports
• 636/tcp: LDAPS (LDAP over TLS) legacy “implicit” encryption.
• 389/tcp: Standard LDAP over TCP (StartTLS capable).
Strengths, Limitations & Common Pitfalls
Strengths
• Hierarchy mirrors real-world orgs/domains.
• Excellent read performance and partial-attribute retrieval.
• Mature, ubiquitous, widely supported in OSs and apps.
Limitations
• Write concurrency historically weaker (locking, replication lag).
• Schema evolution is non-trivial.
• No built-in fine-grained transaction semantics beyond single entry.
• Inefficient for large ad-hoc analytical queries.
Common Pitfalls
• Anonymous or simple-bind over plaintext.
• Improper indexing → slow searches.
• Excessive group nesting → huge membership evaluation.
• Mixing authorization data (ACLs) with business data in same DIT without planning.
• Assuming AD == generic LDAP (Microsoft implements some non-standard behaviors).