Wednesday, September 2, 2015

Lightweight Directory Access Protocol (LDAP) & Active Directory (AD)


From a security standpoint, it's better to update your softwares all the time since the old version may have some existing security problems. There's a common name for this kind of hacking which is called "zero-day". Here's how it work: a hacker first scans the versions of softwares you are using, and if he/she found that you're using a older version software, he/she will go find if there's any existing security problem under that version. This is called zero-day since once the vulnerability is release to the public, people have zero-day to fix the problem while all the machines are under threat.

So, to reduce the threat, we keep our software updated. However, there may be tons of computers under one organization, there should be solutions under different platforms to update all the computers correctly, remotely, and efficiently.

Lightweight Directory Access Protocol (LDAP)

Short Description

"LDAP is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. It's based on a client-server model." - MSDN

Information Model (date and namespaces)

It's similar to that of the X.500 OSI directory service, but with fewer features and lower resource requirements than X.500.


  • initialize a session (ldap_init, ldap_sslinit)
  • bind to the server (ladp_connect)
  • modify a directory entry, etc.

Distinguished Name (DN)

A DN is a sequence of relative distinguished names (RDN) connected by commas. Typical RDNs are as below:
  • DC: domainComponent
  • CN: commonName
  • OU: organizationalUnitName
  • O: organizationName
  • STREET: streetAddress
  • L: localityName
  • ST: stateOrProvinceName
  • C: countryName
  • UID: userid
So, it looks like: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM

Active Directory (AD)

"Active Directory is a directory service that Microsoft developed for Windows domain networks and is included in most Windows Server operating systems. An AD domain controller authenticates and authorizes all the users and computers in a Windows domain type network - assigning and enforcing security policies for all computers and installing or updating software. It makes use of LDAP version 2 and 3, Microsoft's version of Kerberos, and DNS" - Wikipedia

To simplify, AD is Microsoft's solution for LDAP, which is designed for Windows environment. And, yes, it's much more complicated on its domain design.