Skip to content

Directory Access Protocols

Directory Protocols

Directory protocols are used to store, organize, and manage information about users, devices, and resources in a networked environment. They enable authentication, authorization, and resource lookup across distributed systems.

LDAP (Lightweight Directory Access Protocol)

What is LDAP?

LDAP (Lightweight Directory Access Protocol) is a protocol used to access, manage, and authenticate information stored in directory services over a network. It is widely used for user authentication, single sign-on (SSO), and managing organizational hierarchies.

Key Features of LDAP

  • Hierarchical Directory Structure
  • Uses a tree-like structure to store information.

  • Example: A company directory with users, groups, and devices.

  • Standardized and Platform-Independent

  • Works on Windows, Linux, and macOS.

  • Compatible with Microsoft Active Directory, OpenLDAP, Apache Directory.

  • Efficient Search and Retrieval

  • Supports indexing and filtering for fast lookups.

  • Uses distinguished names (DNs) to uniquely identify objects.

  • Authentication and Access Control

  • Supports user login verification for applications and networks.

  • Uses bind requests for authentication.

  • Encryption Support

  • LDAP (unencrypted): TCP/UDP port 389.
  • LDAPS (secure, over SSL/TLS): TCP port 636.

How LDAP Works

  1. Client connects to the LDAP server and sends a bind request (authentication).
  2. LDAP server verifies credentials and grants access.
  3. Client searches or retrieves directory entries (e.g., user data).
  4. LDAP server responds with requested information.

LDAP Directory Structure

LDAP stores data in a tree hierarchy, similar to a file system: 

dc=example,dc=com   (Root Domain)
│
├── ou=Users        (Organizational Unit)
│   ├── cn=John Doe (Common Name - User)
│   ├── cn=Jane Doe
│
├── ou=Groups       (Organizational Unit)
│   ├── cn=Admins
│   ├── cn=Developers
  • dc (Domain Component) – Represents the root domain (e.g., example.com).
  • ou (Organizational Unit) – Groups related entries (e.g., Users, Groups).
  • cn (Common Name) – Represents specific users or resources.

Example LDAP Query

To find all users in a company’s directory: 

ldapsearch -x -H ldap://example.com -D "cn=admin,dc=example,dc=com" -W -b "ou=Users,dc=example,dc=com"
  • -H ldap://example.com → LDAP server address.
  • -D "cn=admin,dc=example,dc=com" → Bind as admin.
  • -W → Prompt for password.
  • -b "ou=Users,dc=example,dc=com" → Base search location.

Active Directory (AD)

What is Active Directory?

Active Directory (AD) is Microsoft’s directory service used to manage users, devices, applications, and security policies in a Windows network environment. It is built on LDAP (Lightweight Directory Access Protocol) and Kerberos authentication to provide centralized identity and access management.

Key Features of Active Directory

  • Centralized User and Resource Management

  • Stores user accounts, groups, computers, and permissions in a hierarchical structure.

  • Authentication and Authorization

  • Uses Kerberos and NTLM for secure user authentication.

  • Supports Single Sign-On (SSO) across the network.

  • Group Policies (GPOs)

  • Administrators can enforce security settings, software installations, and network configurations across all users and devices.

  • Replication and Redundancy

  • Multiple Domain Controllers (DCs) synchronize data for fault tolerance and load balancing.

  • Integration with Other Services

  • Works with Microsoft Exchange, SharePoint, Azure AD, and third-party applications.

Active Directory Components

Component Description
Domain A logical grouping of users, computers, and resources under a common security policy (e.g., example.com).
Domain Controller (DC) A server that stores and manages the AD database. Handles authentication and directory lookups.
Organizational Unit (OU) A container used to organize users, groups, and devices within a domain.
Forest A collection of domains sharing a common schema and trust relationships.
Tree A hierarchical structure of multiple domains under a single namespace.
Global Catalog (GC) A partial, read-only copy of AD objects used for faster searches across domains.

Active Directory Structure

example.com (Domain)
│
├── Users (OU)
│   ├── John Doe (User)
│   ├── Jane Smith (User)
│
├── Computers (OU)
│   ├── PC-001 (Workstation)
│   ├── Laptop-002
│
├── Groups (OU)
│   ├── Administrators (Group)
│   ├── Developers

Ports Used by Active Directory

Service Port
LDAP TCP/UDP 389
LDAPS (Secure LDAP) TCP 636
Kerberos Authentication TCP/UDP 88
Global Catalog TCP 3268 (unencrypted), 3269 (SSL)

Active Directory vs. LDAP

Feature Active Directory (AD) LDAP
Type Directory Service Protocol
Authentication Uses Kerberos & NTLM Uses Simple Bind & SASL
Platform Windows-based Cross-platform (Windows, Linux, macOS)
Integration Works with Windows services like Exchange, Azure AD Works with multiple directory services (OpenLDAP, Apache Directory)

Active Directory is a full-fledged directory service that uses LDAP as a communication protocol but adds security policies, authentication mechanisms, and group management features, making it the backbone of enterprise Windows networks.

X.500 Directory Protocol

What is X.500?

X.500 is a directory services standard developed by the International Telecommunication Union (ITU-T) for storing and managing hierarchical directory information. It serves as the foundation for modern directory protocols like LDAP (Lightweight Directory Access Protocol) and Active Directory.

Key Features of X.500

  • Hierarchical Directory Structure
  • Organizes data in a tree-like structure, known as the Directory Information Tree (DIT).

  • Uses Distinguished Names (DNs) to uniquely identify directory entries.

  • Object-Oriented Data Model

  • Directory objects follow a strict schema, defining attributes and relationships.

  • Supports Person, Organization, Device, and Application objects.

  • Distributed Architecture

  • Allows multiple directory servers to store and manage data across a network.

  • Uses referrals to redirect requests to the correct server.

  • Strong Authentication & Access Control

  • Supports X.509 certificates for secure authentication.
  • Implements Access Control Lists (ACLs) to define permissions.

Core Components of X.500

Component Description
Directory Information Tree (DIT) Hierarchical structure organizing directory data.
Directory Information Base (DIB) The actual database storing directory objects.
Distinguished Name (DN) Unique identifier for directory entries (e.g., CN=John Doe,OU=HR,O=Company,C=US).
Directory Access Protocol (DAP) The original protocol for accessing X.500 directories (later replaced by LDAP).
Directory System Agent (DSA) A server that stores and manages directory data.
Directory User Agent (DUA) A client application that queries or updates directory data.

X.500 vs. LDAP

Feature X.500 LDAP
Protocol DAP (OSI-based) LDAP (TCP/IP-based)
Complexity Heavy and complex Lightweight and simplified
Authentication X.509 certificates Username/password, Kerberos, TLS
Performance Slow due to OSI layers Fast and widely used
Use Case Telecom and government directories Enterprise directory services (e.g., Active Directory, OpenLDAP)

Where is X.500 Used?

  • Government & Military Networks for secure identity management.
  • Telecommunications & ISP Directories for network-wide user authentication.
  • Enterprise Identity Management in large organizations requiring strict directory hierarchy.

Key Takeaway:

X.500 laid the foundation for modern directory services like LDAP and Active Directory but is rarely used directly today due to its complexity and OSI-layer dependency. Instead, LDAP emerged as the dominant, lightweight alternative for directory access.

X.509 Certificate Standard

What is X.509?

X.509 is a public key infrastructure (PKI) standard for digital certificates used in authentication, encryption, and secure communications. It defines the format of SSL/TLS certificates, which are used in HTTPS, VPNs, email security, and digital signatures.

Key Features of X.509

  • Digital Certificates
  • Binds a public key to an entity (person, organization, or device).

  • Used for SSL/TLS encryption, email security, and digital signatures.

  • Certificate Authorities (CAs)

  • Trusted organizations issue and verify certificates.

  • Examples: DigiCert, GlobalSign, Let's Encrypt.

  • Public Key Infrastructure (PKI)

  • Uses asymmetric encryption (public/private key pairs).

  • Supports RSA, ECC, and DSA algorithms.

  • Certificate Chain & Trust Model

  • Root CAIntermediate CAEnd-User Certificate.
  • Ensures certificates are trusted through a chain of verification.

X.509 Certificate Structure

Field Description
Version Specifies the X.509 version (v1, v2, or v3).
Serial Number Unique ID for the certificate.
Issuer The Certificate Authority (CA) that issued it.
Subject The entity that owns the certificate (e.g., website, user).
Public Key The key used for encryption and verification.
Validity Period Defines the start and expiration date.
Signature Algorithm The cryptographic algorithm used for signing.
Extensions (v3 only) Extra fields like SAN (Subject Alternative Name) for multiple domains.

Common Uses of X.509 Certificates

Use Case Example
Website Security (SSL/TLS) HTTPS encryption (e.g., https://example.com).
Email Security (S/MIME) Encrypts and signs emails.
VPN Authentication Secures VPN connections with certificate-based authentication.
Code Signing Ensures software authenticity (e.g., signed applications).
Smart Cards & ID Authentication Used in government and enterprise security systems.

X.509 Certificate Types

Type Purpose
Domain Validation (DV) Basic SSL/TLS for websites (no company verification).
Organization Validation (OV) Verifies business identity, used for corporate sites.
Extended Validation (EV) Highest level of trust (browser green bar, legal verification).
Wildcard Certificate Covers a domain and all subdomains (*.example.com).
SAN (Subject Alternative Name) Certificate Supports multiple domains in one certificate.

X.509 in Action: HTTPS Example

  1. User visits https://example.com.
  2. The web server sends its X.509 SSL certificate.
  3. The browser verifies the certificate against a trusted CA list.
  4. If valid, a secure TLS session is established using the public key.
  5. Encrypted communication begins between the browser and server.

Key Takeaway:

X.509 is the foundation of digital certificates and PKI, securing the web, email, VPNs, and authentication systems. It ensures trust and encryption across the internet.

Honorable Mentions

1 DAP (Directory Access Protocol)

  • The original directory access protocol from X.500 standard.
  • More complex than LDAP and rarely used today.
  • Uses OSI protocols instead of TCP/IP.

2 NIS (Network Information Service)

  • Developed by Sun Microsystems for managing user accounts, hostnames, and network services in Unix environments.
  • Replaced by LDAP-based solutions due to security concerns.
  • Uses UDP/TCP port 111 (RPC-based communication).

3 DNS (Domain Name System) as a Directory Protocol

  • Primarily used for resolving domain names to IP addresses, but also stores mail server records (MX), service discovery (SRV), and text records (TXT).
  • Uses UDP/TCP port 53.