Last modified: March 23, 2026

This article is written in: 🇺🇸

LDAP is a protocol used to access and manage directory information over an IP network. It is open, vendor-neutral, and an industry standard. LDAP is commonly used for centralized authentication, where user credentials and permissions are managed in a single directory and applied across multiple systems and applications.

Understanding LDAP Concepts

Directory

• A directory functions similarly to a database, but it is designed primarily for reading, browsing, and searching information instead of performing frequent, transaction-oriented tasks.
• It is optimized for attribute-based storage, meaning it holds descriptive information about objects, allowing for advanced filtering and querying capabilities.
• The directory's purpose is to securely store information like user credentials, permissions, and organizational data that can be easily retrieved and managed.
• It employs a hierarchical structure akin to a tree, which facilitates an organized, layered approach to data storage and retrieval.

Entries and Attributes

• An entry represents a unique object within the directory, such as a user, a group, or a device, each serving as an individual record in the hierarchy.
• Entries are characterized by attributes, which are key-value pairs that provide descriptive information about the entry, such as the name, email, or password of a user.
• Attributes allow for detailed descriptions of each entry, making it easier to perform specific searches and retrieve particular information as needed.

Distinguished Names (DN)

• A Distinguished Name (DN) uniquely identifies an entry within the LDAP directory, providing a specific address for each object in the directory tree.
• The DN is structured as a string of key-value pairs, with each pair separated by commas, creating a clear and readable format.
• It consists of components like the user identifier (uid), organizational unit (ou), and domain components (dc), each specifying different levels of the directory hierarchy.
• For instance, the DN uid=jdoe,ou=users,dc=example,dc=com represents a specific entry under the "users" organizational unit in the "example.com" domain.

Schema

• A schema establishes the structure of the directory, defining the rules and organization for all entries and their attributes.
• It includes object classes, which specify the types of entries permitted in the directory, such as "person" or "organizationalUnit."
• Each object class has a defined set of attributes that determine what information is allowed or required, ensuring consistency in how data is stored.
• The schema also enforces syntax rules, which dictate the data types and constraints for attributes, helping maintain data integrity and consistency across the directory.

Network Topology Diagram

The network topology illustrates how the LDAP server interacts with multiple client hosts across the network.

|    LDAP Server     |
                 | (ldap.example.com) |
                 +----------+---------+
                            |
             ---------------------------------
             |               |               |
     +-------+-----+   +-----+-------+   +---+-------+
     |             |   |             |   |           |
+------v------+ +----v-----+     +-----v----+     +----v-----+
| Client Host | | Client   |     | Client   |     | Client   |
|    (Web)    | | Host     |     | Host     |     | Host     |
|             | | (Email)  |     | (SSH)    |     | (FTP)    |
+-------------+ +----------+     +----------+     +----------+

• An LDAP server acts as a centralized directory service, where user credentials, permissions, and other organizational data are securely stored and managed.
• Client hosts include systems and applications such as web servers, email servers, SSH servers, and FTP servers, which rely on the LDAP server to authenticate users and grant appropriate access.
• By connecting to the LDAP server, these client hosts can authenticate users consistently, ensuring that access control is centralized and streamlined across various services and platforms.

LDAP Directory Structure

LDAP directories are organized hierarchically in a structure known as the Directory Information Tree (DIT).

Visual Representation of a DIT:

(Root)
                      |
           +----------+----------+
           |                     |
        dc=com                 dc=org
           |                     |
     +-----+-----+               |
     |           |               |
  dc=example   dc=company       ...
     |
 +---+---+
 |       |
ou=users ou=groups
 |         |
 |         +----------------+
 |                          |
+--+--+                   +---+---+
|     |                   |       |
uid=alice uid=bob       cn=admins cn=users

• The dc (Domain Component) represents parts of a domain name, allowing LDAP entries to reflect the domain structure; for example, dc=example,dc=com corresponds to the domain example.com.
• The ou (Organizational Unit) groups entries logically, so you might have entries like ou=users for user accounts or ou=groups for different group classifications.
• The uid (User Identifier) is used to represent individual user entries, such as uid=alice for a user named Alice.
• The cn (Common Name) typically names entries, like groups, with a descriptive label, such as cn=admins for an administrators group.

User Authentication Sequence Diagram

User                Client Host             LDAP Server
|                       |                      |
|---Login Request------>|                      |
|                       |---Authenticate------>|
|                       |                      |
|                       |<--Authentication-----|
|<--Access Granted------|                      |

1. User sends login request to Client Host.
2. Client Host sends authentication request to LDAP Server.
3. LDAP Server processes the request and sends back the authentication result.
4. Client Host grants or denies access to the User based on the result.

Common LDAP Operations

LDAP defines a set of operations that clients can perform on the directory.

Bind

• The purpose of the bind operation is to authenticate the client and specify the version of the LDAP protocol being used.
• This operation is used to initiate a session between the client and the LDAP server, allowing further communication and requests to proceed securely.

Example Command:

ldapwhoami -x -D "uid=jdoe,ou=users,dc=example,dc=com" -W

Options:

Expected Output:

Enter LDAP Password:
dn:uid=jdoe,ou=users,dc=example,dc=com

Search & Compare

• The search operation is used to retrieve directory entries that match specific criteria, allowing clients to find and access particular information within the LDAP directory.
• The compare operation checks whether a specified attribute of an entry contains a certain value, helping to verify data or confirm user details.

Example Search Command:

ldapsearch -x -b "dc=example,dc=com" "(uid=jdoe)"

Expected Output:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (uid=jdoe)
# requesting: ALL
#

# jdoe, users, example.com
dn: uid=jdoe,ou=users,dc=example,dc=com
uid: jdoe
cn: John Doe
sn: Doe
mail: jdoe@example.com
...

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Add, Delete & Modify

• The add operation is used to create new entries within the LDAP directory, enabling the addition of users, groups, or other objects.
• The delete operation removes entries from the directory, allowing for the cleanup or deactivation of outdated or unnecessary records.
• The modify operation updates existing entries, facilitating changes to attributes or values as needed to keep directory information current.

Example Add Command:

ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f new_user.ldif

Example Delete Command:

ldapdelete -x -D "cn=admin,dc=example,dc=com" -W "uid=jdoe,ou=users,dc=example,dc=com"

Unbind

• The purpose of the unbind operation is to terminate the LDAP session, signaling the end of communication between the client and the server.
• This operation is used either automatically after completing necessary actions or explicitly by the client to close the connection when it is no longer needed.

LDAP Search Filters

Search filters control what entries are returned in a search operation.

Syntax:

• (attribute=value): Equality match.
• (&(filter1)(filter2)): AND operation.
• (|(filter1)(filter2)): OR operation.
• (!(filter)): NOT operation.

Examples:

Find users with uid 'jdoe':

(uid=jdoe)

Find entries that are persons and have an email:

(&(objectClass=person)(mail=*))

Find users not in the 'admins' group:

(!(memberOf=cn=admins,ou=groups,dc=example,dc=com))

LDAP Tools and Utilities

Command-Line Tools

1. ldapsearch: Search for entries.

ldapsearch -x -b "dc=example,dc=com" "(objectClass=*)"

1. ldapadd/ldapmodify: Add or modify entries.

ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f entry.ldif

1. ldapdelete: Delete entries.

ldapdelete -x -D "cn=admin,dc=example,dc=com" -W "uid=jdoe,ou=users,dc=example,dc=com"

1. ldapwhoami: Display the DN bound to the session.

ldapwhoami -x -D "uid=jdoe,ou=users,dc=example,dc=com" -W

GUI-Based Tools

1. Apache Directory Studio is an Eclipse-based LDAP browser and editor, offering a user-friendly interface for browsing and managing LDAP directories.
2. phpLDAPadmin serves as a web-based LDAP administration tool, allowing administrators to manage directory entries through a convenient browser interface.
3. JXplorer is a Java-based LDAP client, providing cross-platform support for accessing and managing LDAP directories with various customization options.

Implementing LDAP for Centralized Authentication

Centralized authentication via LDAP allows multiple servers and applications to use a single directory for user authentication and authorization.

Prerequisites:

• An operating system like Ubuntu Server 20.04 LTS (or a similar Linux distribution) is needed as the platform for hosting the LDAP server.
• Root or sudo access is essential for performing the installation and configuration steps, allowing you to manage system-level changes securely.
• Proper network configuration is required to ensure that the LDAP server and client systems can communicate effectively over the network, enabling reliable access and authentication.

Step-by-Step Guide

1. Install and Configure the LDAP Server

Install OpenLDAP and Utilities:

sudo apt-get update
sudo apt-get install slapd ldap-utils

Configure slapd:

During installation, you may not be prompted for configuration. Run the following to reconfigure:

sudo dpkg-reconfigure slapd

Configuration Prompts:

2. Define the Directory Structure (Schema)

Create Base LDIF File (base.ldif):

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Company
dc: example

dn: ou=users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

Load the Schema into LDAP:

sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f base.ldif

Expected Output:

adding new entry "dc=example,dc=com"

adding new entry "ou=users,dc=example,dc=com"

adding new entry "ou=groups,dc=example,dc=com"

3. Add Users to the Directory

Create User LDIF File (user.ldif):

dn: uid=jdoe,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
uid: jdoe
cn: John Doe
sn: Doe
givenName: John
mail: jdoe@example.com
userPassword: {SSHA}encrypted_password_here

Note: Use slappasswd to generate an encrypted password.

slappasswd

Load the User into LDAP:

sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f user.ldif

• Expected Output:

adding new entry "uid=jdoe,ou=users,dc=example,dc=com"

4. Install and Configure LDAP Client on Other Servers

Install Required Packages:

sudo apt-get install libnss-ldap libpam-ldap ldap-utils nscd

Configuration Prompts:

Configure NSS to Use LDAP:

Edit /etc/nsswitch.conf:

passwd:         compat systemd ldap
group:          compat systemd ldap
shadow:         compat ldap

Configure PAM for LDAP Authentication:

Ensure that /etc/pam.d/common-auth includes:

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure try_first_pass

Restart NSS Service:

sudo service nscd restart

5. Enable Home Directory Creation

Install libpam-mkhomedir:

sudo apt-get install libpam-mkhomedir

Configure PAM to create home directories:

Edit /etc/pam.d/common-session and add:

session required        pam_mkhomedir.so skel=/etc/skel umask=077

Verification and Testing

Test LDAP Lookup:

getent passwd jdoe

Expected Output:

jdoe:x:10000:10000:John Doe:/home/jdoe:/bin/bash

Test Login as LDAP User:

Use SSH or local terminal:

ssh jdoe@localhost

• Expected Behavior:
• Prompt for password.
• Upon successful authentication, home directory is created.

Testing LDAP Server Connectivity

Verify that the LDAP service is listening and reachable:

ldapwhoami -x -H ldap://localhost

Expected output for an anonymous bind:

For an authenticated bind, supply credentials:

ldapwhoami -x -D "cn=admin,dc=example,dc=com" -W -H ldap://localhost

Expected output:

dn:cn=admin,dc=example,dc=com

Testing Search Operations

Search for all user entries to confirm the directory is populated:

ldapsearch -x -b "ou=users,dc=example,dc=com" -H ldap://localhost "(objectClass=inetOrgPerson)" uid cn

Verify a specific group:

ldapsearch -x -b "ou=groups,dc=example,dc=com" -H ldap://localhost "(cn=developers)"

Testing Add, Modify, and Delete Operations

Create a temporary test user (testuser.ldif):

dn: uid=testuser,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
uid: testuser
cn: Test User
sn: User
userPassword: testpass

Add, verify, and then remove the test entry:

sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f testuser.ldif
ldapsearch -x -b "dc=example,dc=com" "(uid=testuser)" uid cn
sudo ldapdelete -x -D "cn=admin,dc=example,dc=com" -W "uid=testuser,ou=users,dc=example,dc=com"

Testing NSS Integration

After configuring NSS, verify that the system can resolve LDAP users and groups:

getent passwd          # should list LDAP users alongside local users
getent group           # should list LDAP groups
id jdoe                # should show uid, gid, and groups from LDAP

Authentication Mechanisms

LDAP supports several methods for authenticating clients to the directory server.

Simple Authentication

Simple authentication sends a DN and password to the server. It should always be used over an encrypted connection to prevent credentials from being transmitted in clear text.

ldapwhoami -x -D "uid=jdoe,ou=users,dc=example,dc=com" -W -H ldap://localhost

Securing Connections with TLS

Transport Layer Security (TLS) encrypts the communication channel between the client and the server.

I. Generate or obtain a TLS certificate and key for the LDAP server.

II. Configure slapd to use TLS by creating an LDIF file (tls.ldif):

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/ldap-server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap-server.key

Apply the configuration:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif

III. Configure clients to require TLS by adding to /etc/ldap/ldap.conf:

TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT demand

IV. Test a TLS connection:

ldapwhoami -x -ZZ -D "uid=jdoe,ou=users,dc=example,dc=com" -W -H ldap://localhost

The -ZZ flag enforces StartTLS and fails if encryption cannot be established.

Password Policies

OpenLDAP supports password policies through the ppolicy overlay, which allows administrators to enforce rules like minimum length, expiration, and lockout after failed attempts.

Load the password policy module and schema:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

Create a default password policy entry (ppolicy_default.ldif):

dn: cn=default,ou=policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: person
cn: default
sn: default
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdMustChange: TRUE

Add the policy:

sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f ppolicy_default.ldif

Local (Single-Machine) Setup

For development or testing purposes, you can run both the LDAP server and client on the same host. Follow the server installation steps above, then configure the client to connect to localhost:

I. Install client libraries:

sudo apt-get install libnss-ldap libpam-ldap ldap-utils nscd

When prompted for the LDAP server URI, enter ldap://127.0.0.1.

II. Edit /etc/nsswitch.conf to add ldap:

passwd:         compat systemd ldap
group:          compat systemd ldap
shadow:         compat ldap

III. Restart services and test:

sudo service nscd restart
getent passwd jdoe

Because both the server and client processes share the same machine, no network configuration is required beyond verifying that slapd listens on 127.0.0.1:389.

Maintenance and Management

Adding More Users

Create LDIF File for New User (user2.ldif):

dn: uid=asmith,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
uid: asmith
cn: Alice Smith
sn: Smith
givenName: Alice
mail: asmith@example.com
userPassword: {SSHA}encrypted_password_here

Add User to LDAP:

sudo ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f user2.ldif

Modifying User Attributes

Create Modify LDIF File (modify_jdoe.ldif):

dn: uid=jdoe,ou=users,dc=example,dc=com
changetype: modify
replace: mail
mail: john.doe@example.com

Apply Changes:

sudo ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f modify_jdoe.ldif

Deleting Users

Delete User Entry:

sudo ldapdelete -x -D "cn=admin,dc=example,dc=com" -W "uid=jdoe,ou=users,dc=example,dc=com"

Challenges

1. Install and configure an LDAP server on a Linux system. Set up the basic directory structure and include at least three organizational units (OUs).
2. Add entries to the LDAP directory, including users and groups. Practice creating at least 10 user entries and 3 groups, assigning users to different groups.
3. Configure a Linux system to use LDAP for user authentication. Test this by logging into the system with user credentials stored in the LDAP directory.
4. Develop a strategy for backing up the LDAP directory. Perform a backup, then restore from this backup to ensure the integrity and completeness of your backup method.
5. Use the ldapsearch command to perform various queries on the LDAP directory. Try to search for specific users, groups, and other entities based on different attributes.
6. Secure your LDAP communications with TLS/SSL. Configure the server for encrypted connections and verify the security by connecting to it with an LDAP client.
7. Choose an application or service (such as email or web service) that supports LDAP integration. Configure it to authenticate users against your LDAP directory.
8. Design and implement a custom LDAP schema for a specific use case (like managing inventory or tracking software licenses). Add attributes and object classes that are not available in the default schema.
9. Set up LDAP replication. Configure a secondary LDAP server and ensure that it synchronizes correctly with your primary LDAP server.
10. Simulate common LDAP connectivity issues and practice troubleshooting. Document each issue simulated, your diagnostic process, and the steps taken to resolve the issues.