Various protocols such as LDAP (Lightweight Directory Access Protocol) are utilized to access directory information. LDAP is commonly used as an authentication and authorization service to access public data and private data. In general, data access controls are determined by an identity of a user that is attempting to access an LDAP service. Public data can be accessed and searched by anyone via an “anonymous” LDAP BIND, whereas private data can only be accessed if the user is authenticated. More specifically, in an LDAP system, an authentication process to verify a user's identity is performed via a “user” LDAP BIND process, whereby the user transmits credentials that are used to identify the user. A user's credentials typically include a user ID and password. During the LDAP BIND process, the user specifies a unique object within the LDAP database known as a “distinguished name” to “bind” to. Once the user has been authenticated via the LDAP BIND process with a distinguished name, this is the identity that LDAP uses to determine data access controls.
More specifically, to authenticate a user via LDAP, a first step involves finding a user object that represents the user within an LDAP database. An anonymous LDAP BIND is performed, followed by an LDAP SEARCH to find any user object with a matching ID attribute to that of the user's ID. If the user object is found, the distinguished name that is returned is used in the subsequent LDAP BIND to verify the user's password credentials. Once the user's credentials have been verified, the user's private LDAP object is available for inspection. The LDAP metadata of the user can then be utilized to make various authorization-type decisions such as whether the user is active or a member of a valid group, etc. A drawback of LDAP is that the LDAP service draws on relatively static data stored in its native database, whereby the user information can be out of date.