Leveraging LDAP for User Management

Leverage the LastPass LDAP Directory to support all your provisioning, management, and security needs.

img-icon-scroll-light-anim-svg

What is LDAP?

The Lightweight Directory Access Protocol (LDAP) is an open, cross-platform protocol. LDAP helps organizations with user account management and configures directory services authentication. As a critical component of directory strategies, it offers fast read times, scalability, and ease of use. Many companies already rely on LDAP servers to power business apps, APIs, networks/intranet, and more.

The LDAP configuration helps apps to interact with directory services servers. These servers house and share user identities, passwords, and other authentication data with entities within a company's network.

There are many benefits to using LDAP, such as:

  • Unique entries through its global naming model
  • The ability to use multiple directories and run over TCP/IP and SSL
  • Scalability, flexible architecture
  • Open-source application protocol
  • Extensive use by services like DNS and TCP
  • Industry-wide support
Try LastPass Business
uac-directory-integration

LDAP vs. Directory Integration

The relationship between LDAP and Directory Integration is relative to Apache and HTTP: while HTTP is a web protocol, Apache is a web server that leverages the HTTP protocol. Similarly, LDAP is a directory services protocol, whereas Directory Integration is a server leverage the LDAP protocol.

LDAP Directory

An LDAP Directory uses the LDAP protocol to enable access control for directory services. LDAP-based solutions include the Microsoft Active Directory, Red Hat Directory Service, OpenLDAP, and Apache Directory Server.

Directory Integration

Directory Integration is a directory service implementation process used to oversee and authorize access. It enables access to functions like policy administration, authentication, and group and user management.

What is LDAP Authentication?

As mentioned above, LDAP directories house and share user's and group's identities, passwords, and other authentication data. LDAP authentication is the process of checking a login – username and password – with your LDAP directory.

The authentication process works by first resolving the input username with your directory. If found, the authenticator will then check the user password. If the directory states the username and password match, the user will be authenticated and granted access. If not, access is denied.

LDAP Authentication Options

To begin an LDAP session, a client needs to connect with a directory server known as a Directory System Agent (DSA). By default, a server is set to use a specific TCP port number 389. After establishing your connection, a client and server can exchange the necessary information.
You can perform many types of operations on LDAP, like Add, Bind, Delete, Modify, and Unbind. There are two options for LDAP authentication that include simple and SASL (Simple Authentication and Security Layer).

Simple Authentication

Simple authentication is a password-based authentication factor that provides three authentication mechanisms. These include anonymous authentication, unauthenticated authentication, and name/password authentication.
Simple Authentication uses a distinguished name (DN) and password in a bind request to get LDAP authentication. The client application uses the distinguished name provided to identify itself when interacting with the server. Then, the password provides authentication of the distinguished name.

SASL Authentication 

SASL authentication attaches an LDAP server to a different authentication mechanism, such as Kerberos. The LDAP server then sends an LDAP message to another authorization service via LDAP protocol. That process starts with a series of query response messages. Eventually, it leads to successful (bind) or failed authentication (unbind). It is important to add TLS (Transport Layer Security) encryption for group membership, domain controller, IP address, or another LDAP client. This is a straightforward way to keep org usernames and passwords safe.

LDAP Query

Another component of the LDAP authentication process is an LDAP query. The LDAP query is a command that requests directory information from a directory service or directory system agent. It's used for requests like user information within a certain search filter for that end-user. Yet, LDAP queries often use complex syntax or schema that makes them too difficult to write. They're often accomplished through a point-and-click management interface, one that handles the LDAP entries lookup and query processes.

AD Integration with LastPass

Active directory integration is an essential process to manage your organization – and doing so is as easy as ever with LastPass. The LastPass AD Connector is a configurable, lightweight client that syncs end-user profiles found in your organization's on-premises AD/LDAP to LastPass. With the LastPass LDAP Directory Connector, you can:

  • Sync client is a Windows service available for download from the Admin Console within your company's LastPass Business or Enterprise account.
  • Connect to your AD environment to support a variety of provisioning and management processes.
  • Input relevant information from your user directory into LastPass and create nested groups to manage group permissions.
  • Sync end-user groups to LastPass for policy designations, Shared Folders, and SAML application assignments with the AD Connector.
  • Provision for cloud-based applications, such as Google's suite, Microsoft tools, and software like Salesforce.com.
  • Use LDAP Directory as an identifier, recognizing end-user status to automate password management oversight for your company.

Contact us today to learn more about how you can leverage the LastPass Active Directory Connector to support your admins and users.

100,000+ businesses rely on LastPass

With over 350 applications for a team of 3500+ employees, our risk of exposure was high and in order to comfortably enable SSO, LastPass was a vital investment as it confirms every access point and login is protected.

logo_trust-garden_hootsuite-svg
logo_trust-garden_handshakes-svg
logo_trust-garden_patagonia-svg
logo_trust-garden_hollard-svg
logo_trust-garden_hso-svg
logo_trust-garden_holt-cat-svg
lastpass-logo-icon

Strengthen your Security

Stay in control of employee access and authentication, whether it's from home or the office, with a tool that helps your IT team do more.