How LDAP works
LDAP is a client-server protocol for reading and writing entries in a directory tree. Every entry has a distinguished name (DN) that encodes its place in the hierarchy, for example uid=jsmith,ou=people,dc=example,dc=com, plus attributes defined by a schema. Clients issue a small set of operations: bind to authenticate, search with filters like ([email protected]), and add, modify, or delete entries.
Authentication with LDAP usually takes one of two shapes. In a simple bind, the application sends the user's DN and password and the directory verifies them. In the search-then-bind pattern, the application first searches for the user's entry by username or email using a service account, then binds as the found DN with the supplied password. Traffic runs on port 389, or 636 for LDAPS; production deployments should always encrypt with TLS, since a plain bind transmits the password in clear text.
Why LDAP matters
LDAP is the lingua franca of enterprise infrastructure. Linux servers using PAM and SSSD, network appliances, Jenkins and other CI tools, VPN concentrators, databases, and thousands of business applications all authenticate users by speaking LDAP to a directory. It long predates SAML and OpenID Connect, and much of the software that depends on it will never be rewritten.
That ubiquity is both its strength and its risk. LDAP-based authentication is typically just a password check: no MFA, no device or risk signals, no phishing resistance. Directories reachable over unencrypted LDAP, over-privileged service accounts used for searches, and injection through unsanitized filter input are recurring findings. Any modern identity strategy has to answer the question of what to do with the LDAP-only estate.
LDAP in practice
The pragmatic path is to keep LDAP where it is needed but move its trust anchor. Enforce LDAPS everywhere, give search service accounts read-only access to the narrowest subtree possible, and inventory which systems still authenticate over LDAP so they are visible in risk assessments.
For modernization, an LDAP gateway lets legacy systems keep speaking the protocol they know while authentication decisions move to a central identity platform with MFA and adaptive policy behind the scenes. Monosign includes such an LDAP gateway, which lets Linux PAM/SSSD hosts, Jenkins, and NAS appliances authenticate against the platform without any changes on the client side.