The Lightweight Directory Access Protocol (LDAP) is an internet standard that provides for communication with an LDAP information directory. It runs directly over the transmission control protocol/internet protocol (TCP/IP) and is used to access a standalone directory or a directory service in compliance with the X.500 Directory Access Protocol (DAP) standard. Because of its standardization, the LDAP directory can be accessed across many different platforms as long as the LDAP protocol is used for communicating with the server hosting the LDAP directory.
In some implementations, these LDAP directories are configured to support heavy read accesses. For instance, LDAP directories are well suited for storing information relating to the following: contact information of employees within a company, an employee organizational chart; personal information for employees within a company; business contact information for a company, and any other information relating to individuals and organizations.
LDAP is based on a client-server model, wherein the LDAP protocol defines operations used to search and update information within the LDAP directory. For example, a client may access the LDAP directory to perform, in part, searching, creating, updating, deleting, and renaming operations.
Access to the LDAP directory is through an established connection between the client and the LDAP directory. Before any connection is made, LDAP provides for an authentication mechanism used for controlling access to the LDAP directory. During the authentication process, the client submits a distinguished name and password so that the LDAP server can determine if that client has the proper permissions for accessing the LDAP directory. If the user associated with the distinguished name does not have the proper permissions, then access to the LDAP directory is denied, and the LDAP server will not execute the requested operation. On the other hand, if the user does have the proper permissions, then the user is granted access to the LDAP directory, and the operation is executed.
The authentication process provided under LDAP is some cases may not be sufficient to protect client information. In those cases, a strong authentication method for authentication may be necessary to further control access to the LDAP directory. For instance, strong authentication may encompass a two factor or multi-factor authentication, wherein two or more security categories or methods are used to authenticate the user.
However, LDAP does not immediately support strong authentication beyond secure socket layer (SSL) which can be used preliminarily to secure communications before and during the authentication process. That is, LDAP and the LDAP server are typically configured to provide single factor authentication in which the username is matched with a static password. This is unsatisfactory in many situations where additional security over information is needed before access to information is granted.