Active Directory plays such an important part in the makeup of most organizations’ IT infrastructure, that it automatically becomes the first target for attackers. If an attacker gets into one of your user accounts, any you don’t know that it’s happened, it’s only a matter of time before you are the victim of a disastrous data breach (especially is this user account has special privileges).
Understanding LDAP plays an important part of getting to know your Active Directory better and preventing data breaches and unauthorized access. So, with that in mind, let’s take a look at what LDAP is and the role it plays in Active Directory security.
What is LDAP?
Lightweight Directory Access Protocol (or LDAP) is essentially an open and cross platform protocol that is used for directory services authentication. LDAP enables applications to communicate with other directory services servers. This is important because directory services store and share important sensitive information to do with users, passwords and computer accounts.
What is Active Directory?
Active Directory (or AD) is a directory services implementation that provides authentication functionality, group and user management, policy administration and more. As far as directory services go, Microsoft Active Directory is by far the most common in use today, in no small part because it is easy to use, secure, provides single sign on and works well in business environments or over VPN.
How Active Directory and LDAP Work Together
Active Directory supports LDAP, meaning you can combine the two to help you improve your access management. In fact, many different directory services and access management solutions can understand LDAP, making it widely used across environments without Active Directory as well.
LDAP Authentication Explained
Firstly, there are two different types of LDAP authentication; simple and Simple Authentication and Security Layer (SASL).
Let’s first take a look at simple authentication. Simple authentication allows you to authenticate via three different methods:
- Anonymous Authentication: as the name suggests, this gives anonymous status to LDAP.
- Unauthenticated Authentication: this should not grant access; it is for logging purposes only.
- Name/Password Authentication: again, as the name suggests, this grants access based on a supplied name and password.
SASL authentication links LDAP with another authentication system (such as Kerberos). Through a series of challenge and response messages, the LDAP server sends a message to the authorization service and results in either a successful or failed authorization.
An important note here is that LDAP sends messages that are unencrypted. It is a good idea to add some sort of encryption to these messages to keep your sensitive information secure from prying eyes.
LDAP queries are commands that communicate with your directory service to extract specific information. As an example, you may want to use an LDAP query to see how many expired user accounts you have in Active Directory. In this case the LDAP query you would use is the following:
If the look of the above LDAP query makes you wince, don’t worry, you’re not alone. Thankfully, you don’t have to use LDAP queries in most cases to get the information you’re looking for. If your looking for specific information in Active Directory, it’s probably better to use something like PowerShell or LepideAuditor for Active Directory.
Essentially, to sum up, LDAP is a protocol and Active Directory is a directory service. LDAP authenticates AD. If you want more information as to how Lepide’s Active Directory auditing software can audit and monitor changes to keep your Active Directory environment secure, start your free trial today.