Introduction
LDAP (Lightweight Directory Access Protocol) is an open protocol for accessing and maintaining distributed directory information services. It is widely used for user authentication, address books, and centralized identity management in enterprise environments.
This comprehensive guide covers LDAP protocol mechanics, directory structure, authentication, and practical implementation.
What is LDAP?
LDAP provides a standardized way to access and manage directory services. It is used for authentication, authorization, and retrieving user information.
Key Features
Hierarchical Directory: Tree structure for organizing data.
Standard Operations: Search, add, modify, delete.
Authentication: Simple and SASL authentication.
Replication: Multi-master and master-slave configurations.
Directory Structure
DIT (Directory Information Tree)
dc=example,dc=com
โโโ ou=users
โ โโโ uid=john
โ โโโ uid=jane
โ โโโ uid=bob
โโโ ou=groups
โ โโโ cn=admins
โ โโโ cn=users
โโโ ou=servers
โโโ cn=server1
โโโ cn=server2
Common Attributes
| Attribute | Description |
|---|---|
| cn | Common Name |
| uid | User ID |
| Email Address | |
| telephoneNumber | Phone |
| ou | Organizational Unit |
| dc | Domain Component |
| dn | Distinguished Name |
| sn | Surname |
| givenName | First Name |
Operations
Search
import ldap3
server = ldap3.Server('ldap://ldap.example.com')
conn = ldap3.Connection(server, user='cn=admin,dc=example,dc=com', password='secret')
conn.bind()
# Search for users
conn.search(
search_base='ou=users,dc=example,dc=com',
search_filter='(objectClass=person)',
attributes=['cn', 'mail', 'uid']
)
for entry in conn.entries:
print(entry.cn, entry.mail)
Add Entry
conn.add(
'cn=newuser,ou=users,dc=example,dc=com',
'inetOrgPerson',
{
'cn': 'New User',
'sn': 'User',
'mail': '[email protected]',
'uid': 'newuser',
'userPassword': 'password123'
}
)
Modify Entry
conn.modify(
'cn=john,ou=users,dc=example,dc=com',
{
'mail': [(ldap3.MODIFY_REPLACE, '[email protected]')],
'telephoneNumber': [(ldap3.MODIFY_ADD, '+1-555-0123')]
}
)
Delete Entry
conn.delete('cn=olduser,ou=users,dc=example,dc=com')
Authentication
Simple Authentication
# Username/password
conn = ldap3.Connection(
server,
user='uid=john,ou=users,dc=example,dc=com',
password='secret'
)
conn.bind()
SASL Authentication
# Kerberos (GSSAPI)
conn = ldap3.Connection(
server,
authentication=ldap3.SASL,
sasl_mechanism='GSSAPI'
)
# Digest-MD5
conn = ldap3.Connection(
server,
authentication=ldap3.SASL,
sasl_mechanism='DIGEST-MD5',
user='john',
password='secret'
)
Active Directory
Special Considerations
# AD uses different base
AD_BASE = 'dc=company,dc=local'
# Connect to AD
server = ldap3.Server('ldap://ad.company.local', get_info=ldap3.ALL)
conn = ldap3.Connection(
server,
user='company\\admin',
password='password',
auto_bind=True
)
# Search with AD-specific attributes
conn.search(
search_base=AD_BASE,
search_filter='(&(objectClass=user)(memberOf=cn=admins,ou=groups,dc=company,dc=local))',
attributes=['sAMAccountName', 'mail', 'memberOf']
)
SSL/TLS
LDAPS (LDAP over SSL)
# Using SSL
server = ldap3.Server('ldaps://ldap.example.com:636', use_ssl=True)
# StartTLS
server = ldap3.Server('ldap://ldap.example.com')
conn = ldap3.Connection(server)
conn.start_tls()
Use Cases
User Authentication
def authenticate_user(username, password):
try:
server = ldap3.Server('ldap://ldap.example.com')
# Try to bind with user credentials
user_dn = f'uid={username},ou=users,dc=example,dc=com'
conn = ldap3.Connection(server, user=user_dn, password=password)
if conn.bind():
return True
return False
except:
return False
Address Book
# Search for contacts
conn.search(
search_base='ou=contacts,dc=example,dc=com',
search_filter='(objectClass=inetOrgPerson)',
attributes=['cn', 'mail', 'telephoneNumber', 'o']
)
Best Practices
- Use LDAPS in production
- Implement proper access controls
- Use TLS for all connections
- Regular password policies
- Monitor failed login attempts
Conclusion
LDAP remains essential for enterprise identity management, providing centralized authentication and directory services.
Comments