LDAP vs. LDAPS: Understanding the Difference

Introduction

LDAP (Lightweight Directory Access Protocol) and LDAPS (LDAP over SSL) are both protocols used to access and manage directory services.

The key differences between them are security measures.

LDAP Authentication Steps:

LDAP operates on the default port 389 and is used for accessing and managing directory services across IP networks without encryption. This means data is transmitted in clear text, which could be to interception and spy.

1. Connection Establishment: The client establishes a connection to the LDAP server.
2. Send Bind Request: The client sends a bind request to the LDAP server. This request includes the distinguished name (DN) of the user attempting to authenticate and the corresponding password.
3. Verify Credentials: The LDAP server verifies the provided DN and password against the credentials stored in its directory.
4. Bind Response: Based on the verification, the LDAP server responds to the bind request. If the credentials are correct and the authentication is successful, the server sends a success response. If the authentication fails, an error message is returned.
5. Access Directory: Upon successful authentication, the client can then perform directory operations, such as querying or modifying directory entries.
6. Close Connection: After completing the necessary operations, the connection to the LDAP server is closed.

When to use LDAP: The network is trusted, and encryption is not a primary concern.

LDAPS Authentication Steps:

LDAPS, on the other hand, is LDAP encrypted with SSL (Secure Sockets Layer), running on the default port 636. It provides a secure channel for data transmission, ensuring that the data exchanged between the LDAP client and server is encrypted and thus protected against spy and tampering.

1. Establish Secure Connection: The client initiates a connection to the LDAP server on the designated LDAPS port (usually 636). The server presents its SSL certificate to the client.
2. Verify Server Certificate: The client verifies the server's SSL certificate against a list of trusted Certificate Authorities (CAs). This step ensures the server's identity and establishes trust.
3. SSL/TLS Handshake: Upon successful verification of the server's certificate, an SSL/TLS handshake occurs between the client and server. This process negotiates the encryption algorithms and generates a shared secret for the session, establishing a secure channel.
4. Send Bind Request: Over this secure channel, the client sends a bind request to the LDAP server. This request includes the distinguished name (DN) of the user attempting to authenticate and the corresponding password.
5. Verify Credentials: The LDAP server verifies the provided DN and password against its directory database.
6. Bind Response: The LDAP server responds to the bind request. If the credentials are verified successfully, the server sends a successful response; otherwise, it sends an error.
7. Access Directory: Upon successful authentication, the client can perform secure LDAP operations, such as querying or modifying directory entries.
8. Close Connection: The secure session is terminated once the operations are completed, or the session times out.

When to use LDAPS: Security and data confidentiality are important.