What is LDAP authentication?

Lightweight Directory Access Protocol (LDAP) is a core authentication protocol designed for directory services. Traditionally, LDAP has served as a database for storing information involving user identities like:

• Users
• User attributes
• Group membership privileges and more.

LDAP continues to play a key role in identity and access management (IAM). Modern security enhancements ensure that data is encrypted during transit, and insecure authentication methods vulnerable to interception are blocked.

Active Directory Federation Services

Active Directory Federation Services (AD FS) provide single sign-on capabilities to organizations that are utilizing AD Directory Services (AD DS). It allows those with an Active Directory account to use that account on applications that are outside the boundaries of their Active Directory or applications that don’t rely on Active Directory accounts for authentication at all like DDI Central.

By creating a federation (the sharing of identity information), the user can be authenticated via his company’s Active Directory and can then be authenticated to DDI Central with a claim. All a DDI Central admin has to do is configure DDI Central to trust the incoming claims.

During an LDAP authentication process, the credentials the user enters via DDI Central, are compared to those entries stored within the LDAP directory database. If they match, the user is authenticated and granted access to DDI Central.

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) is a LDAP–based directory service similar to AD DS.

It’s designed to be used with directory-enabled applications, and it’s especially handy for an organization that may want to establish a directory of user accounts, but keep that directory separate from the organization’s AD DS infrastructure. It can be used as an identity provider with AD FS for both authentication and the generation of claims to web applications like DDI Central that can be configured to understand federation by following the steps below.

Configuring LDAP and LDAPS in DDI Central

Get into the Settings module and select the Auth menu. On the Auth page, navigate to the LDAP tab and click the Configure LDAP button.

On the Configure LDAP window that appears, Follow the steps below for setting up LDAP (Lightweight Directory Access Protocol) within DDI Central.

On the Configure LDAP window that appears, Follow the steps below for setting up LDAP (Lightweight Directory Access Protocol) within DDI Central.

1. SERVER: Enter the hostname or IP address of the LDAP server that the application will connect to for authentication purposes.
2. PROTOCOL: Select the protocol used for the LDAP connection. In this case, LDAP is selected, which indicates that the connection will not be encrypted unless LDAPS (LDAP over SSL) is chosen.
3. PORT: Specify the port number that DDI Central uses to connect to the LDAP server. The default port for LDAP port is 389 and LDAPS is 636, depending on your setup.
4. DOMAIN NAME: Enter the Active Directory domain name associated with the LDAP server. This domain is typically the directory in which user accounts and resources are organized.
5. AUTH TYPE: Select the authentication method that will be used when connecting to the LDAP server based on the security requirements of your network infrastructure. In the dropdown, you can see two options:
• SIMPLE: This is the most basic authentication method, which typically involves straightforward credentials like username and password in plaintext without additional security layers.
  Note: On choosing Simple as the authentication method, make sure to enter the username in the following format: username@domainname
• NTLM: NTLM (NT LAN Manager) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. It is more secure than SIMPLE as it involves hashing and challenge-response mechanisms.
  Note: On choosing NTLM as the authentication method, make sure to enter the username in the following format: domainname//username
6. ENABLE: Use this toggle switch to enable or disable LDAP authentication for the DDI Central application. When enabled, DDI Central will attempt to authenticate users via the LDAP server configured in the above fields.
   Note: This is a mandatory setting that needs to be enabled for LDAP authentication to function.

   Click Save to activate the LDAP configuration settings after all required fields have been filled in.

   These configurations enable DDI Central to authenticate users against the specified LDAP server with the chosen level of security, making it effortless for you to use centralized directory services like Active Directory Federation Services (AD FS) for your distributed Microsoft network infrastructure.

   Info: You can also add an extra layer of security to user accounts by coupling LDAP credentials with with time-sensitive codes from any TOTP-enabled authenticators.