While LDAP is a protocol, not a service, it is run by directory services, which are special-purpose databases for storing and organizing information about network resources and users.
LDAP provides the standardized language for clients to communicate with these directory services, allowing for requests to query or modify data.
Here are the most common services that implement and run LDAP:
- Active Directory Domain Services (AD DS): The most popular commercial directory service, developed by Microsoft for Windows environments.
- OpenLDAP: A free, open-source implementation of the LDAP protocol, widely used in Linux and Unix environments.
- Apache Directory Server: A free, open-source LDAP directory server from the Apache Software Foundation.
- Other commercial and open-source directory servers: Many other vendors have developed LDAP-compliant directory services for different use cases and environments.
A deep dive into directory services and LDAP
The directory service concept
To truly understand what runs LDAP, one must first grasp the concept of a directory service. A directory service is a centralized, hierarchical database that stores information about network resources and is optimized for frequent read operations and less frequent write operations. A classic example is a company's phone directory, but for a network, it includes:
- Users: Names, passwords, email addresses, and security permissions.
- Groups: Logical collections of users for assigning shared permissions.
- Computers: Workstations and servers on the network.
- Network resources: Printers, shared folders, and applications.
A directory service brings order and centralized management to a network. Instead of managing permissions on each individual computer, an administrator can manage them all from one central location.
LDAP: The communication protocol
The Lightweight Directory Access Protocol (LDAP) is the "language" used to speak to these directory services. It is a client-server protocol that defines:
- The format of requests: How a client (e.g., an application) asks for information or authenticates a user.
- The structure of data: A hierarchical, tree-like structure called a Directory Information Tree (DIT), which organizes entries by distinguished names (DNs).
- The messaging format: How the directory service responds to the client's request.
LDAP provides a standardized way for any LDAP-enabled application to interact with any LDAP-compliant directory service, regardless of the vendor.
Popular services that run LDAP
Microsoft Active Directory Domain Services (AD DS)
Active Directory is the most well-known and widely used directory service, especially in corporate Windows environments.
- The core service: The component that actually runs on Windows Server is Active Directory Domain Services (AD DS). A server running this service is called a Domain Controller.
- How it uses LDAP: LDAP is the primary protocol that applications and clients use to query and modify objects (users, groups, etc.) in the Active Directory database. While AD uses other protocols like Kerberos, LDAP is central to its operation.
- Active Directory Lightweight Directory Services (AD LDS): Microsoft also offers a version of its directory service that is not tied to a domain, specifically for directory-enabled applications. It is an independent LDAP server that can run on any Windows device.
OpenLDAP
OpenLDAP is the most popular open-source implementation of the LDAP protocol and is a staple in Linux and Unix environments.
- The daemon: The service that runs the OpenLDAP server is a daemon called
slapd(Standalone LDAP Daemon). - Components: The OpenLDAP software suite includes the server (
slapd), client tools, and utilities. It offers a high degree of customization and flexibility but lacks the graphical user interface (GUI) of commercial products.
Apache Directory Server
This is another robust, open-source LDAP solution from the Apache Software Foundation, often used in conjunction with other Apache projects. It is written in Java and provides a full-featured directory service.
Cloud-based LDAP services
As organizations migrate to the cloud, the need for directory services has evolved.
- JumpCloud: Provides a Cloud Directory Platform that includes LDAP-as-a-Service (LDAP-aaS). This allows for a cloud-hosted LDAP server without the need for on-premise infrastructure.
- Azure Active Directory Domain Services (AAD DS): A paid add-on to Azure Active Directory (which doesn't natively use LDAP) that provides managed domain services, including support for legacy LDAP-based applications.
The LDAP client-server model
To illustrate how this all works, let's examine the client-server interaction in more detail.
- A client request: A user wants to log in to an application. The application is configured to use LDAP for authentication. It sends an LDAP query to the directory server, binding with the user's distinguished name (DN) and password.
- The directory server's action: The directory server (e.g., Active Directory or OpenLDAP) receives the request. It checks its database for the user's DN and validates the provided password.
- The server's response:
- Success: If the credentials are valid, the server sends a successful response to the application. The application can then grant the user access.
- Failure: If the authentication fails, the server sends an error message, and the application denies access.
- Querying other data: The application can make other LDAP queries to the server to retrieve more information about the user, such as their group memberships or other attributes, to determine their authorization levels.
The fundamental difference: Protocol vs. service
The key takeaway is that LDAP is not a service or application itself, but a protocol that enables directory services to function. The directory services are the actual applications that run on a server, manage the data, and respond to LDAP requests. The distinction is crucial for understanding how network authentication and resource management operate in a centralized manner.