LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lightweight protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. LDAP is an IETF Standard Track protocol and is specified in “Lightweight Directory Access Protocol (LDAP) Technical Specification Road Map” RFC4510.

The LDAP information model is based on entries. An entry is a collection of attributes that has a globally-unique Distinguished Name (DN). The DN is used to refer to the entry unambiguously. Each of the entry’s attributes has a type and one or more values. The types are typically mnemonic strings, like “cn” for common name, or “mail” for email address. The syntax of values depend on the attribute type. For example, a cn attribute might contain the value John Smith. A mail attribute might contain the value “jsmith@example.com”.

In LDAP, directory entries are arranged in a hierarchical tree-like structure. Traditionally, this structure reflected the geographic and/or organizational boundaries. Entries representing countries appear at the top of the tree. Below them are entries representing states and national organizations. Below them might be entries representing organizational units, people, printers, documents, or just about anything else you can think of.

In addition, LDAP allows you to control which attributes are required and allowed in an entry through the use of a special attribute called objectClass. The values of the objectClass attribute determine the schema rules the entry must obey. An entry is referenced by its distinguished name, which is constructed by taking the name of the entry itself (called the Relative Distinguished Name or RDN) and concatenating the names of its ancestor entries. For example, the entry for John Smith in the Internet naming example above has an RDN of uid=jsmith and a DN of uid=jsmith,ou=People,dc=example,dc=com. The full DN format is described in RFC4514, “LDAP: String Representation of Distinguished Names.”

LDAP defines operations for interrogating and updating the directory. Operations are provided for adding and deleting an entry from the directory, changing an existing entry, and changing the name of an entry. Most of the time, though, LDAP is used to search for information in the directory. The LDAP search operation allows some portion of the directory to be searched for entries that match some criteria specified by a search filter. Information can be requested from each entry that matches the criteria.

For example, you might want to search the entire directory subtree at and below dc=example,dc=com for people with the name John Smith, retrieving the email address of each entry found. LDAP lets you do this easily. Or you might want to search the entries directly below the st=California,c=US entry for organizations with the string Acme in their name, and that have a fax number. LDAP lets you do this too.

Some directory services provide no protection, allowing anyone to see the information. LDAP provides a mechanism for a client to authenticate, or prove its identity to a directory server, paving the way for rich access control to protect the information the server contains. LDAP also supports data security (integrity and confidentiality) services.






LDAP (Lightweight Directory Access Protocol) is a protocol for accessing directory services in order to retrieve data while Active Directory is Microsoft’s implementation of a directory service. Therefore, you would need to conform to LDAP so that Active Directory can understand and respond to your request. These two are not mutually exclusive though as there are other options that you can use. Other directory services exist aside from Active Directory, some of which are free like OpenLDAP. Microsoft has also developed Active Directory to go beyond LDAP and use other protocols like Kerberus.

LDAP is the product of the cooperation between telecommunications companies to create a protocol for pulling data from a server across TCP/IP. This was originally made in the 1980s and has been refined since then. Active Directory is a product from Microsoft that has been developed based largely on LDAP to ensure that it conforms and works flawlessly with LDAP. It was initially meant to provide data via LDAP but has grown to include other services as stated above.

Because LDAP is not tied to a single company, it is usable in practically any operating system available as long as you also have a directory service that is capable of running in that operating system. The Microsoft owned Active directory, on the other hand, are usually found in the Windows operating system which is also owned by Microsoft. Despite the prominence of Windows as an operating system, it doesn’t directly translate to the use of Active Directory as there are a lot of other options that the consumer can choose from.


To conclude, Active Directory is just one product that can provide services that use LDAP. LDAP on the other hand is a protocol and is therefore more widespread compared to Active Directory. Regardless of whether you are using Active Directory, or OpenLDAP, or any of the other directory service offerings of other companies, you would still probably be using LDAP.