LDAP vs Active Directory
The main difference in LDAP vs Active Directory is that while both LDAP and Active Directory are used for querying user identity information, AD contains a complete network operating system with services such as DNS, DHCP etc. In contrast, LDAP does not have any of those functionalities. Understanding LDAP plays an essential part in getting to know your Active Directory better and preventing data breaches and unauthorised access.
What is LDAP?
The Lightweight Directory Access Protocol (LDAP) is a cross-platform software protocol used for directory service authentication. LDAP allows anyone to query and communicate with the directory service providers and locate data related to the organisation, users, devices and other resources such as files in a network.
The directory services also store user account details such as username, password and computer account; hence LDAP is commonly used to provide a central place for authentication. Lightweight Directory Access Protocol is an essential component in learning more about your Active Directory and preventing data breaches and illicit access.
To avoid exposing the password, organisations can utilise simple authentication within an encrypted channel is supported by the LDAP server. LDAP can use these user credentials for providing authentication in different applications and services such as Docker, Jenkins, Samba servers etc.
When using Lightweight Directory Access Protocol, the following things are considered:
- Directory Structures.
- Adding, updating and reading data.
- Authentication.
- Searching.
What is Active Directory (AD)?
The Active Directory is a directory service developed by Microsoft to manage an organisation’s IT infrastructure and assets such as its domains, user accounts, policies and other distributed resources for a domain network, just like its admins. The Active Directory (AD) provides a system and network administrators with functionality such as authentication, group and user management, policy administration, device management, implementing security policy related to different security issues and group policy on its objects and more.
The Lightweight Directory Access Protocol (LDAP) is the protocol usually used to communicate with AD.
In Active Directory, the assets are categorised as per the following tiers:
1. Domains
Users and devices that share an Active Directory database are part of a domain. Domains are generally named after a company or a department of a company.
2. Trees
Trees define the trust between multiple domains; this decides who can access what in different parts of an organisation.
3. Forest
For large organisations containing numerous domains, these domains are grouped into forests.
What is the role of LDAP in Active Directory?
Lightweight Directory Access Protocol plays a crucial role in the operations of Active Directory as it is a fundamental protocol behind Active Directory. All the information queries, requests, modifications, search for objects like users, computers, printers etc. and directory accesses are performed through LDAP using TCP/IP network.
LDAP vs Kerberos
What is Kerberos?
Kerberos is a network authentication protocol used to authenticate two or more trusted hosts across an untrusted network. It uses secret-key solid cryptography to authenticate client/server application protocol and identify users with the help of tickets.
Kerberos can be used in Posix authentication, NFS, Samba, SSH, POP, SMTP and is the default authentication protocol used by Microsoft Windows Active Directory (AD). Kerberos also provides single sign-on (SSO) functionality.
NTLM vs Kerberos
What is NTLM?
The Windows NT LAN Manager (NTLM) is an authentication protocol that implements a challenge-response mechanism to authenticate clients to use resources in an AD domain.
When a client needs to access a service or resource in its domain, the service challenges the client. The client then uses its authentication token and performs certain mathematical operations, and generates a response. This response is returned to the service requested, and if the challenge-response is correct, the client is granted access.
FAQ Answered
How does LDAP work with Active Directory?
As mentioned earlier, Lightweight Directory Access Protocol LDAP is the protocol to query directory services, and Microsoft Active Directory is the directory service. The Active Directory stores information related to users, devices, services, resources etc. and when a client needs to request this information, LDAP is used.
LDAP queries the information stored in AD and extracts the necessary details, and communicates responses to and from the client. So LDAP authentication and AD work together to provide clients access to the resources and information they need, to access applications and execute their responsibilities.
Can you use LDAP without Active Directory?
LDAP is a protocol designed to be a cross-platform protocol. It can be used with multiple directory services other than Active Directories such as Open LDAP, Red Hat Directory Server and IBM Tivoli Directory Server.
Other than directory services, LDAP can be used in different applications to validate users with the help of relevant plugins such as Docker, Jenkins, Kubernetes, Open VPN and Linux Samba servers.
What is the difference between LDAP and database?
LDAP and databases are two very different technologies. LDAP is simply a protocol (i.e. a set of rules for transmitting data) used to query and modify data using certain directory services or plugins. At the same time, a database is a collection of said data. So to put into perspective, there is a significant difference between LDAP and databases; LDAP is used to query the data stored in a database.
Does Active Directory use LDAP or Kerberos?
Active Directory supports both LDAP and Kerberos for authentication, and more often than not, these two protocols are used together.
Kerberos is the default authentication and authorisation protocol used by Active Directory as it is more secure. LDAP is also used for the same and is used for organising objects such as user accounts, computers and organisation units (OUs) within the Active Directory domain.
For example, when an IT admin opens the Active Directory Users and Computers console, his computer first uses Kerberos to obtain a ticket and access the Domain Controller and then uses LDAP to allow the IT admin to use the console to carry out the required tasks with the domain objects.
Which is better, LDAP or Kerberos?
LDAP and Kerberos both provide authentication for directory services, but they do have specific differences, as mentioned below:
| LDAP | Kerberos |
|---|---|
| It simpler to implement and manage | Implementing and managing Kerberos may become complex |
| LDAP is used for authorising the accounts details when accessed. | Kerberos is used for managing credentials securely. |
| It is not open source but it has implementations such as Open LDAP which are open-source. | It is open-source software that provides free services. |
| It supports cross platform implementation. | It does not support cross platform implementation. |
| LDAP adds authentication in two options SASL or anonymous authentication. | Kerberos adds high security and gives mutual authentication. |
| Less secure. | More secure. |
So when it comes to implementing one over the other, there may be no correct answer as it depends on the requirements of an organisation.
Does Kerberos require LDAP?
Kerberos in itself is an independent protocol and does not need LDAP to operate. In some instances, LDAP and Kerberos are implemented together, but they are dependent on each other.
Does Windows use LDAP or Kerberos?
As mentioned before, the Windows Active Directory supports both Kerberos and LDAP; these can be used one at a time or simultaneously as well. By default, Windows uses Kerberos for authentication purposes.
Is Kerberos better than NTLM?
NTLM is also an authentication protocol and is an older version of Kerberos. NTLM can be used as a backup for Kerberos authentication.
There are several advantages that Kerberos provides over NTLM:
| NTLMv1 | NTLMv2 | Kerberos | |
|---|---|---|---|
| Security | Less secure | Relatively better security | Best security as no password is stored or sent over the network. |
| Performance | Slower authentication | Slower authentication | Faster authentication |
| Delegation Support | Only supports impersonation | Only supports impersonation | Supports impersonation and delegation of authentication |
| Multi-Factor Authentication | Does not support | Does not support | Supported |
| Cryptography | Symmetric cryptography | Symmetric cryptography | Supports both symmetric and asymmetric cryptography |
| Trusted third party | DC | DC | DC, KDC (and Windows Enterprise Certification Authority in Kerberos PKINIT). |
| Mutual authentication | Does not support | Does not support | Supported |
Hence using Kerberos is a better approach than NTLM.
Does Active Directory use NTLM or Kerberos?
Active Directory supports using both NTLM and Kerberos, where Kerberos is used as the default authentication protocol in Windows servers, and NTLM can be used for older or legacy versions of Windows Server.
What is the role of LDAP in Active Directory?
LDAP plays a crucial role in the operations of Active Directory as it is one of the fundamental protocols behind Active Directory. All the information queries, requests, modifications, searches for objects like users, computers, printers etc. and directory accesses are performed through LDAP using TCP/IP.
Are LDAP and ADFS the same?
AFDS is the Active Directory Federation Services, one of the services provided by AD, i.e. the identity directory service for users, computers, applications etc., that are part of a Windows domain.
ADFS allows AD users to access off-domain resources using their AD credentials. This means that users of one domain can access resources from another domain without the need to authenticate separately to the other domain using the identity federation concept.
On the other hand, LDAP is an authentication protocol meant for directory services, and ADFS is a service given by a directory service, i.e. Microsoft Active Directory.
Get in touch in case of your primary security concerns or review your Active Directory.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.
