IDSync — identity software buyer platform
Run Stack Finder

Architecture

Lightweight Directory Access Protocol (LDAP)

LDAP is the open, decades-old protocol for querying and modifying directory services — used most famously by Microsoft Active Directory and OpenLDAP — and still the backbone of authentication for Linux servers, network gear, legacy apps, and on-prem infrastructure.

Last reviewed 5/30/2026

Key points

  • LDAP defines a tree-structured directory (DN, OU, CN) and operations: bind, search, add, modify, delete.
  • Most enterprise environments still authenticate against LDAP/AD for switches, jump hosts, legacy apps, and Linux PAM.
  • Modern IdPs (Okta, Entra ID, JumpCloud) act as LDAP servers for legacy apps that can't speak SAML/OIDC.
  • LDAP bind = authentication; LDAP search = directory query. Don't use plain LDAP without LDAPS / StartTLS.
  • Active Directory is LDAP + Kerberos + DNS + a ton of Microsoft-specific extensions.

What is LDAP?

The Lightweight Directory Access Protocol (LDAP) is the standard protocol for talking to a directory service — a database optimized for read-heavy, hierarchical lookups of people, groups, devices, and configuration. It's been the lingua franca of enterprise identity since the 1990s and isn't going anywhere.

What LDAP looks like

A directory is a tree. Each entry has a Distinguished Name (DN) like:

`` cn=alice,ou=engineering,dc=acme,dc=com ``

Operations:

  • Bind — authenticate a client (often with a password).
  • Search — query with filters like (&(objectClass=user)(memberOf=cn=admins,...)).
  • Add / Modify / Delete — manage entries.

Where it still lives

  • Active Directory — Microsoft's directory, accessed over LDAP/LDAPS, layered with Kerberos for SSO.
  • OpenLDAP, 389 Directory, FreeIPA — open-source AD alternatives.
  • Linux PAMnss-pam-ldapd so server logins authenticate against AD.
  • Network gear — switches, firewalls, VPN concentrators all support LDAP auth.
  • Legacy apps — anything older than ~2010 that doesn't speak SAML/OIDC usually speaks LDAP.

LDAP today

Modern cloud IdPs offer LDAP interfaces (Okta LDAP Interface, JumpCloud LDAP-as-a-Service, Entra Domain Services) precisely so legacy apps can keep working while user lifecycle moves to the cloud.

Security must-haves

  • LDAPS or StartTLS — never plain LDAP for binds. Microsoft is gradually enforcing LDAP signing and channel binding.
  • Service accounts with read-only scope — apps that query LDAP shouldn't have write.
  • No anonymous binds for sensitive trees.
  • Monitor LDAP queries — recon tools (BloodHound) abuse LDAP read access; ITDR/AD tools detect anomalous patterns.

Editorial note

If you're cloud-only and greenfield, you probably don't need LDAP — modern apps speak SAML/OIDC. If you have any on-prem infrastructure (switches, jump hosts, legacy apps), LDAP is unavoidable, and the question is whether to keep AD or replace it with a cloud LDAP interface.

Standards & references