In order to explain what is LDAP in Active Directory, the role it plays and what it actually does, I will have to first start with a short description of what LDAP is.
LDAP stands for Lightweight Directory Access Protocol and it is a client-server application protocol that provides the means and facilitates the use of a directory service and also maintains the information services over the network. For example, it can distribute the whole directory of files to a large number of devices on the network, replicate them and also synchronizing the content regularly. It comes from an older protocol for networks called DAP with the lightweight add which is actually a downside that comes from the fact that it’s simpler and also less secure.
Like any other Application layer protocol, LDAP does not dictate the way the programs should communicate and how data should be managed while reaching different network layers; it doesn’t do this for server and it doesn’t do it for the client either.
LDAP relies on lower layer network protocols (Network Interface, Internet, Transport) to support the communication of and between programs (flow of data on the network, addressing, error checking), while it only deals with providing common means (language) for programs (clients) and servers to talk. LDAP also supports some server to server language communication, mainly when we talk about replication and synchronization.
Active Directory is a Directory Service Provider, in fact a Microsoft implementation of LDAP.
Active Directory uses LDAP versions 2 and 3 and it also makes use of Kerberos protocol (network authentication protocol for devices to be allowed to communicate on a non-secure network) and last but not least, a DNS.
There are other IT software and system manufacturers on the market that have LDAP support and use LDAP protocol as the language for their Directory Services, for example: SUN, IBM, Novell and the list could go on.
Active Directory can be seen as a library or an address book that can be easily kept up-to-date, containing contact and other related information about people or their accounts, computers and devices that can be accessed by everyone with the rights to do so.
Active Directory can also store organizations, people, computers, encryption certificates, printers, files, devices and other resources on the network, while also supporting a feature to use the same password for multiple different resources, feature called “single sign on”.
LDAP in Active Directory will allow you to query the directory without knowing the domain name, server IP address, server hostname or even the location, being transparent to a user. Of course, as an administrator of a network you should know some of these things in order to help you manage the directory, but as a simple user with the simple right to install Administrative Tools, you could open up Active Directory Users and Computers from Administrative Tools Kit for example and browse through the different Directory resources, which is in fact a success of the query with the help of LDAP protocol through the use of Active Directory.
LDAP servers are also known as Directory System Agents (DSA). It can be used as a backbone or a structure for looking up people and computers or devices inside a network, for example in multinational companies. It can also be used to route and address emails using different clients like Microsoft Outlook and Netscape Communicator.
LDAP Clients connect to DSAs by default on TCP port 389.
If you are interested into knowing every little detail about LDAP, beginning with the actual communication between a LDAP client and a LDAP server and finishing with the actual commands that LDAP uses and many more, all is covered here:.
I still have a few more things to write about LDAP though, one of them being the fact that when we talk about an email client using LDAP for example, Microsoft Outlook, but not only, most of these clients can only read information from a Directory that they can’t write. The clients that can write or update information inside a Directory are just a few from the existing clients, those that also offer at least a SSL encrypted connection, due to the fact that doing this, requires a certain level of security and encryption, features that LDAP does not offer.
An administrator using LDAP can define permissions on the database (Active Directory) and if needed, he keeps some of the existing data as private. Schema is the format and the attribute value of the data in the LDAP database.
If you ask yourself why I still write about LDAP when the title and the focus of the article should be LDAP in Active Directory, the answer is: due to the fact that LDAP is one of the most important parts of a Directory Service, like in our case, Active Directory.
LDAP in Active Directory
Windows Servers that run Active Directory are called Domain Controllers and they provide a structured location for network administration and security for users and computers. Active Directory Domain Controllers authenticates and authorizes all users and computers in the Windows Domain network, assigning and enforcing security policies for all Directory resources (objects). Such an environment also allows an administrator to deploy software on computers in the domain.
Active Directory can be easily integrated with Microsoft Outlook, having LDAP protocol running behind the whole architecture and creating an easy to manage environment and providing users with email and network services, using the common resources.
By now, you know that one way or another you have been using this protocol and even more: that Active Directory is what we can call a database system that provides all the things we discussed like authentication, authorization, policies, and hierarchical organization for the resources in a Windows Server technology based environment, while LDAP is a protocol for querying and modifying items in directory service providers like Active Directory, Netscape and so on.
As a note for a better index of the terms in your brain, you can remember Active Directory as a Directory Service Database while LDAP is a protocol that you can use to talk to Active Directory, your common language with AD.
I won’t hide the fact that you can’t find all the details on LDAP or LDAP in Active Directory, but if you check a few more sources, things might be clearer, if not already. The bottom line is that you shouldn’t focus too much on small topics like this, as the basic concept and what it stands for and does is enough because in our days we always see things changed by better and newer ones.