🔐 LDAP Learning Center

What is LDAP?

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral protocol used to access and maintain distributed directory information services over an IP network. Think of it as a specialized database optimized for reading user accounts, groups, and organizational data.

🔑 Key fact: LDAP runs on TCP/UDP port 389 (plaintext) and port 636 for LDAPS (SSL/TLS encrypted). It was standardized as RFC 4511.

Why Do We Need LDAP?

Organizations need a centralized way to store and retrieve information about users, computers, printers, and policies. LDAP provides a lightweight, standardized way to do this — powering Active Directory, OpenLDAP, and countless authentication systems.

🏢

Centralized Auth

One place to manage all user credentials and access rights

⚡

Fast Reads

Optimized for millions of read queries; ideal for authentication

🌐

Open Standard

Vendor-neutral RFC standard supported by every major OS

🔒

Secure (LDAPS)

Supports TLS encryption and SASL authentication

📁

Hierarchical

Tree structure mirrors real-world organizational charts

🔗

Integration

Used by AD, Linux PAM, web apps, VPNs, and more

Common LDAP Implementations

Product	Vendor	Use Case
Active Directory	Microsoft	Enterprise Windows environments
OpenLDAP	Open Source	Linux/Unix directory services
389 Directory Server	Red Hat	Enterprise Linux environments
Oracle Internet Directory	Oracle	Oracle middleware stack
ApacheDS	Apache	Java-based embedded LDAP

How LDAP Works

LDAP follows a client-server model. The client sends operations (bind, search, modify, add, delete) and the server responds. Every session begins with authentication (bind) and ends with an unbind.

LDAP Session Flow

1. ConnectTCP to port 389/636

→

2. BindAuthenticate to server

→

3. OperationSearch / Add / Modify

→

4. ResponseServer returns result

→

5. UnbindEnd the session

LDAP Operations

Operation	Code	Description
Bind	0	Authenticate (Simple or SASL) — starts a session
Unbind	2	Terminate the session gracefully
Search	3	Query the directory with filters and scope
Modify	6	Add, delete, or replace attribute values
Add	8	Add a new entry to the directory
Delete	10	Remove an entry from the directory
ModifyDN	12	Rename or move an entry
Compare	14	Test whether an attribute value exists
Abandon	16	Cancel a previously sent request

Bind Types

👤

Anonymous Bind

No credentials — read-only access to public directory info. Common for lookups.

🔑

Simple Bind

DN + password in plaintext. Must use LDAPS/TLS to protect credentials.

🛡️

SASL Bind

Kerberos, DIGEST-MD5, or GSSAPI. Most secure — used in enterprise AD.

⚠️ Security Note: Simple bind over plain LDAP (port 389) sends credentials in cleartext. Always use LDAPS (port 636) or STARTTLS to encrypt credentials in transit.

Search Scope

Scope	Meaning
baseObject	Only the base DN entry itself
singleLevel	Direct children of the base DN (one level down)
wholeSubtree	Base DN and all descendants — most common

Directory Structure

LDAP organizes information in a Directory Information Tree (DIT) — a hierarchical structure similar to a file system. Each node is an entry identified by a Distinguished Name (DN).

Distinguished Name (DN)

A DN is the unique identifier for an entry, reading from specific (left) to general (right):

cn=John Smith

,

ou=Users

,

ou=IT

,

dc=example

,

dc=com

DN Component Types (RDN)

Abbreviation	Full Name	Example
cn	Common Name	cn=John Smith
sn	Surname	sn=Smith
ou	Organizational Unit	ou=Engineering
o	Organization	o=Acme Corp
dc	Domain Component	dc=example
uid	User ID	uid=jsmith
c	Country	c=US

Example Directory Tree

dc=example,dc=com (Root) ├── ou=Users │ ├── cn=Alice Johnson → uid=ajohnson, mail=alice@example.com │ ├── cn=Bob Martinez → uid=bmartinez, mail=bob@example.com │ └── cn=Carol White → uid=cwhite, mail=carol@example.com ├── ou=Groups │ ├── cn=IT-Admins → member: cn=Alice Johnson,... │ └── cn=HR-Staff → member: cn=Carol White,... ├── ou=Computers │ ├── cn=WS001 → operatingSystem: Windows 11 │ └── cn=SRV-DC01 → operatingSystem: Windows Server 2022 └── ou=ServiceAccounts └── cn=svc-backup → uid=svcbackup

Common LDAP Attributes

Attribute	OID Short	Description
objectClass	2.5.4.*	Defines schema rules for the entry (e.g., inetOrgPerson)
uid	0.9.2342…	User login name
cn	2.5.4.3	Common name (display name)
sn	2.5.4.4	Surname / family name
mail	0.9.2342…	Email address
userPassword	2.5.4.35	Hashed password (SSHA, bcrypt, etc.)
telephoneNumber	2.5.4.20	Phone number
memberOf	—	Groups this entry belongs to
givenName	2.5.4.42	First name
title	2.5.4.12	Job title

Object Classes

Every LDAP entry must have an objectClass that defines which attributes are required and permitted:

👤

inetOrgPerson

Standard user account — includes uid, mail, cn, sn

👥

groupOfNames

Group entry containing a list of member DNs

🖥️

device

Represents computers, printers, and network devices

🏢

organization

Top-level org entry with the 'o' attribute required

LDAP Message Format

LDAP messages are encoded using ASN.1 BER (Basic Encoding Rules). Every message — request or response — wraps in a common envelope called the LDAPMessage.

LDAPMessage Envelope

Tag (SEQUENCE)

Length

messageID (Integer)

protocolOp (Operation)

controls (Optional)

Search Request — protocolOp breakdown:

baseObject (DN)

scope (0/1/2)

derefAliases

sizeLimit

timeLimit

filter

attributes

Field Descriptions

Field	Description
messageID	Unique integer to match requests with asynchronous responses (1–2,147,483,647)
protocolOp	The actual LDAP operation (e.g., SearchRequest, BindRequest, SearchResultEntry)
controls	Optional extensions — paging, sort, LDAP transactions, etc.
baseObject	The DN where the search starts (e.g., dc=example,dc=com)
scope	0=baseObject, 1=singleLevel, 2=wholeSubtree
derefAliases	How to handle alias entries (never, inSearching, findingBaseObj, always)
sizeLimit	Max number of entries to return (0=no limit)
timeLimit	Max seconds to execute (0=no limit)
filter	Boolean expression selecting which entries to return
attributes	List of attribute types to return (empty = return all)

LDAP Result Codes

Code	Name	Meaning
0	success	Operation completed successfully
1	operationsError	Server encountered an internal processing error
2	protocolError	Malformed request sent by client
3	timeLimitExceeded	Operation exceeded the time limit
4	sizeLimitExceeded	More results exist than the size limit allows
10	referral	Server cannot handle request; refers to another server
32	noSuchObject	The target DN does not exist
34	invalidDNSyntax	The provided DN is malformed
49	invalidCredentials	Wrong password / bad credentials (auth failure)
50	insufficientAccessRights	Caller lacks permission for the operation
53	unwillingToPerform	Server refuses (e.g., password policy)

LDAP Filter Syntax

Search filters use prefix (Polish) notation wrapped in parentheses:

Filter	Example	Meaning
Equality	(cn=Alice)	cn equals "Alice"
Substring	(mail=*@example.com)	mail ends with @example.com
Present	(telephoneNumber=*)	telephoneNumber attribute exists
AND	(&(uid=jsmith)(objectClass=person))	Both conditions true
OR	(\|(cn=Alice)(cn=Bob))	Either condition true
NOT	(!(accountLocked=TRUE))	Condition is false
Approx	(cn~=Alyss)	Approximately equal (soundex)
Greater/Less	(uidNumber>=1000)	Numeric/lexicographic comparison

LDAP Query Builder

Build and simulate LDAP search queries interactively. Construct a filter and see the generated query string plus a simulated response.

🔧 Build a Search Filter

Base DN Scope Filter Type

Attribute Value

Return Attributes (comma-separated, blank = all) Generated LDAP Filter Preview

(objectClass=inetOrgPerson)

📝 LDIF Entry Creator

LDIF (LDAP Data Interchange Format) is the standard text format for importing/exporting LDAP entries.

Common Name (cn) User ID (uid) Email Department (ou) Phone

LDAP Knowledge Quiz

Test your understanding of LDAP concepts!

10 questions covering LDAP fundamentals, message format, directory structure, and security.