What is LDAP (Lightweight Directory Access Protocol)?
Learn what LDAP is, how its directory tree and DNs work, and why it powers centralized authentication — with interview Q&A.
Expected Interview Answer
LDAP (Lightweight Directory Access Protocol) is an application-layer protocol, typically running on TCP port 389 (or 636 for LDAPS), used to query and modify hierarchical directory information such as users, groups, and organizational structure stored in a directory server.
LDAP organizes data as a tree of entries, each identified by a Distinguished Name (DN) built from attributes like organizational unit and common name, similar to a filesystem path but describing organizational or identity data instead of files. Clients send LDAP operations — bind (authenticate), search, compare, add, modify, delete — to a directory server such as Microsoft Active Directory, OpenLDAP, or a cloud directory service, which returns matching entries or confirms the operation. Its most common real-world use is centralized authentication and authorization: instead of every application maintaining its own user database, applications bind to LDAP to verify credentials and look up group membership, giving organizations a single source of truth for identity. Because a plain LDAP bind can send credentials with weak or no protection, production deployments almost always use LDAPS (LDAP over TLS) or STARTTLS to encrypt the connection, much like the shift from Telnet to SSH.
- Centralizes user, group, and organizational identity data
- Provides a standard query language/protocol across vendors
- Enables single-sign-on-style authentication for many applications
- Structures data hierarchically for efficient organizational lookups
AI Mentor Explanation
LDAP is like a national cricket board’s central player registry, organized by country, then state association, then club, then individual player — a selector can query the exact path "country=India, state=Karnataka, club=Bangalore, player=Kohli" and get back verified eligibility details instantly instead of every club keeping its own separate paper records. Any tournament organizer can bind into this registry, confirm a player’s identity, and check which squads they belong to. That single, hierarchical, queryable source of truth is exactly what LDAP provides for identity data.
Step-by-Step Explanation
Step 1
Bind
The client authenticates to the LDAP directory server, ideally over an encrypted LDAPS/STARTTLS connection.
Step 2
Search
The client sends a search request with a base DN, scope, and filter to locate matching entries.
Step 3
Server lookup
The directory server traverses its hierarchical tree of entries to find matches.
Step 4
Result return
Matching entries and their attributes are returned to the client for authentication or authorization decisions.
What Interviewer Expects
- Correctly describes LDAP as a hierarchical directory access protocol
- Explains the Distinguished Name / tree structure concept
- Names centralized authentication/authorization as the primary use case
- Knows to use LDAPS/STARTTLS instead of unencrypted LDAP binds
Common Mistakes
- Confusing LDAP with a general-purpose relational database protocol
- Not knowing LDAP entries are organized by Distinguished Name in a tree
- Forgetting that plain LDAP binds can expose credentials without TLS
- Assuming LDAP and Active Directory are the same thing rather than AD implementing LDAP
Best Answer (HR Friendly)
“LDAP is the protocol behind a company’s central directory of users, groups, and permissions — think of it as the shared address book that every internal application checks to verify who you are and what you are allowed to access, instead of each app keeping its own separate login list. It is the technology underneath a lot of corporate single sign-on setups.”
Code Example
# Search a directory for a user entry over LDAPS (encrypted)
ldapsearch -H ldaps://directory.example.com:636 \
-D "cn=admin,dc=example,dc=com" -W \
-b "dc=example,dc=com" "(uid=jsmith)"
# Example result excerpt:
# dn: uid=jsmith,ou=People,dc=example,dc=com
# cn: Jane Smith
# memberOf: cn=engineering,ou=Groups,dc=example,dc=comFollow-up Questions
- What is a Distinguished Name (DN) in LDAP?
- How does LDAPS differ from plain LDAP?
- How is Active Directory related to LDAP?
- How does an application typically use LDAP for single sign-on?
MCQ Practice
1. What port does encrypted LDAP (LDAPS) typically use?
LDAPS (LDAP over TLS) typically listens on TCP port 636, while plain LDAP uses 389.
2. How is data organized within an LDAP directory?
LDAP organizes entries in a hierarchical tree, each addressed by a unique Distinguished Name.
3. What is the most common real-world use of LDAP?
LDAP is most commonly used to centralize user authentication and group-based authorization across applications.
Flash Cards
What is LDAP? — An application-layer protocol for querying and modifying hierarchical directory data such as users and groups.
What is a DN? — A Distinguished Name — the unique path-like identifier for an entry in the LDAP tree.
Default LDAP ports? — TCP 389 for plain LDAP, TCP 636 for encrypted LDAPS.
Primary LDAP use case? — Centralized authentication and authorization across applications.