⚡ What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory services — centralised databases that store information about users, computers, groups, and resources on a network. It runs over TCP/UDP port 389 (plaintext) or port 636 (LDAPS — LDAP over TLS). Microsoft's Active Directory is the most widely deployed directory service and uses LDAP as its access protocol. When you log into a Windows domain, LDAP is doing the work of looking up your account.

What is a directory service?

A directory service is a specialised database optimised for reading and searching rather than frequent writes. It stores objects — users, computers, printers, groups — and their attributes, organised in a hierarchical tree structure.

Think of it as a company's phone book, but far more powerful. Instead of just names and numbers, it stores every attribute about every user and device: password hashes, group memberships, login times, email addresses, department, manager, certificate information, and more. LDAP is the protocol that lets applications query and update this directory.

🗂️
Most common
Active Directory (AD)
Microsoft's directory service, built on LDAP and Kerberos. Used in the vast majority of enterprise Windows environments. Stores all domain user and computer accounts.
🐧
Open source
OpenLDAP
The primary open-source LDAP implementation. Used on Linux servers and in cross-platform environments where a Microsoft AD licence isn't viable.
☁️
Cloud-based
Azure AD / Entra ID
Microsoft's cloud directory service. Uses modern protocols (OAuth, OIDC) rather than traditional LDAP, but serves the same identity management purpose for cloud and hybrid environments.
🔌
Integration point
LDAP as a connector
Applications authenticate against LDAP rather than maintaining their own user databases. VPNs, email servers, Wi-Fi (802.1X), and web apps all use LDAP to verify credentials against the central directory.

LDAP vs LDAPS — the port distinction

This is the most reliably tested LDAP fact on Network+ and Security+. Know both ports and what the difference means:

ProtocolPortEncryptionUse
LDAP TCP/UDP 389 ✗ Plaintext — credentials visible in traffic Legacy environments only — should not be used for authentication over untrusted networks
LDAPS TCP 636 ✓ TLS encrypted — credentials protected Production standard — LDAP wrapped in TLS, same as HTTP vs HTTPS
LDAP + StartTLS TCP 389 ✓ Upgrades to TLS mid-session Alternative to LDAPS — starts unencrypted on 389 then upgrades. Less preferred than LDAPS.
⚡ Port 389 vs 636 — instant recall

389 = LDAP (plaintext). 636 = LDAPS (encrypted with TLS).

Same relationship as HTTP (80) and HTTPS (443), or FTP (21) and FTPS (990). The exam will present a scenario where credentials are being transmitted insecurely over LDAP and ask how to fix it — the answer is always switch to LDAPS on port 636.

LDAP directory structure

LDAP directories are organised as a hierarchical tree called the Directory Information Tree (DIT). Every entry in the tree is called a Distinguished Name (DN) — a unique path that identifies exactly where an object sits in the hierarchy.

LDAP directory structure — example
Domain: company.com
Tree root (DC = Domain Component):

DC=company,DC=com                           ← root of the domain
  │
  ├── OU=Users,DC=company,DC=com              ← Organisational Unit
  │     ├── CN=John Smith,OU=Users,DC=company,DC=com
  │     └── CN=Jane Doe,OU=Users,DC=company,DC=com
  │
  ├── OU=Computers,DC=company,DC=com
  │     └── CN=DESKTOP-01,OU=Computers,DC=company,DC=com
  │
  └── OU=Groups,DC=company,DC=com
        └── CN=IT-Admins,OU=Groups,DC=company,DC=com
📌 DN components — what the abbreviations mean

DN (Distinguished Name) — the full unique path to an object. Example: CN=John Smith,OU=Users,DC=company,DC=com

CN (Common Name) — the name of the object itself (a user, group, or computer).

OU (Organisational Unit) — a container for grouping objects. Like a folder. You apply Group Policy at the OU level in Active Directory.

DC (Domain Component) — one label of the domain name. company.com becomes DC=company,DC=com.

How LDAP authentication works

When an application needs to verify a user's credentials against a directory, it uses an LDAP bind operation — connecting to the directory server and authenticating. There are two types of bind:

🔓
No credentials
Anonymous Bind
Connect to the LDAP server without providing credentials. Limited read access to public directory information. A security risk if the directory exposes sensitive data to anonymous queries — should be disabled in production.
🔐
With credentials
Simple Bind
Authenticate with a DN and password. The password is sent in plaintext unless LDAPS or StartTLS is used. This is why using LDAPS (port 636) is critical — simple bind over plain LDAP exposes passwords.
LDAP authentication flow — application login
User enters credentials into an application

1. App connects to LDAP server on port 636 (LDAPS)
2. App binds using a service account DN + password
   (a read-only account dedicated to LDAP lookups)
3. App searches for the user:
   Filter: (&(objectClass=user)(sAMAccountName=jsmith))
4. LDAP returns the user's full DN
5. App attempts to bind again using the user's DN + entered password
6. If bind succeeds → authentication successful
   If bind fails   → wrong password — deny access

LDAP and Active Directory

Active Directory is not the same as LDAP — AD is a directory service that uses LDAP as one of its access protocols. Active Directory also uses Kerberos for authentication, DNS for service location, and Group Policy for configuration management. LDAP is the query language AD speaks.

In a Windows domain environment, applications that need to look up users or verify group memberships do so via LDAP queries to a Domain Controller. The Domain Controller listens on ports 389 (LDAP) and 636 (LDAPS) for these queries.

⚡ Active Directory + LDAP exam angle

"Which protocol does Active Directory use to allow applications to query user and group information?" → LDAP

"An application needs to authenticate users against Active Directory. Which port should be used to ensure credentials are encrypted?" → 636 (LDAPS) — plain LDAP on 389 sends credentials unencrypted.

Remember: AD uses both LDAP (for directory queries) and Kerberos (for authentication tickets). They serve different purposes and are both tested.

LDAP injection — the Security+ attack

LDAP injection is an attack that targets applications which build LDAP queries using unsanitised user input — the LDAP equivalent of SQL injection. If an application constructs an LDAP filter by directly concatenating user-supplied values, an attacker can manipulate the filter to bypass authentication or extract directory data.

⚠️ LDAP injection — how it works

Vulnerable application builds this LDAP filter:

(&(uid=[username input])(password=[password input]))

Attacker enters as username: admin)(&(password=*

This manipulates the filter to always return true, bypassing the password check entirely and logging in as admin with any password.

Prevention: Input validation and sanitisation — escape special LDAP characters in user input before building queries. Use parameterised LDAP queries where available.

LDAP security hardening

LDAP hardening best practices
Use LDAPS (port 636)         → Encrypt all LDAP traffic with TLS
                                 Never send credentials over plain LDAP (389)

Disable anonymous bind       → Require authentication for all directory queries
                                 Prevents unauthenticated enumeration of users/groups

Use dedicated service accounts → Read-only accounts for LDAP lookups
                                 Limit blast radius if the account is compromised

Restrict LDAP access by IP   → Only allow LDAP queries from app servers
                                 Use firewall rules to block port 389/636 elsewhere

Sanitise LDAP queries        → Escape special characters to prevent LDAP injection
                                 Treat all user input as untrusted

Exam scenarios

💬 "Which protocol is used to query and manage a directory service such as Active Directory?" → LDAP — Lightweight Directory Access Protocol
💬 "An application authenticates users against Active Directory. A packet capture shows credentials are being sent in plaintext. What should be implemented?" → LDAPS on port 636 — LDAP over TLS encrypts credentials in transit
💬 "Which port does LDAP use for unencrypted directory queries?" → TCP/UDP port 389
💬 "Which port does LDAPS use for encrypted directory queries?" → TCP port 636
💬 "An attacker manipulates a login form's input field to bypass LDAP authentication entirely. What attack is this?" → LDAP injection — unsanitised input allows manipulation of the LDAP query filter
💬 "What is the unique path that identifies an object's location in an LDAP directory tree?" → Distinguished Name (DN) — e.g. CN=John Smith,OU=Users,DC=company,DC=com
💬 "Which LDAP operation is used to authenticate to a directory server with a DN and password?" → Bind — specifically a Simple Bind when using a DN and password combination
💬 "Active Directory uses which two protocols for authentication and directory access?" → Kerberos (authentication tickets) and LDAP (directory queries)

Studying for Security+?

The SY0-701 study guide, Dion Training practice exams, and Professor Messer's free course.

See Security+ Resources →

Related Articles

What is Kerberos? What is RADIUS? What is NTP? What is SNMP? What is DNS? Port Numbers Reference Network Attacks Explained Firewall Basics Explained How to Pass Security+ Best Security+ Resources Active Directory Basics