What is LDAP?
LDAP stands for Lightweight Directory Access Protocol and is an open standard protocol that allows clients to access information in a directory service, such as user accounts, devices, permissions and groups.
LDAP is widely used by systems such as Active Directory, Entra ID, RADIUS and other directory servers to provide authentication and authorisation β including within OT environments.
π§ How does LDAP work?
- An LDAP client (such as an application or network device) connects to an LDAP server (such as Active Directory)
- The client sends a query, for example: βWhat password belongs to user
jansen?β - The server searches the hierarchical directory and returns a response
- LDAP structures are organised hierarchically:
- DN (Distinguished Name):
cn=Jansen,ou=OT,dc=company,dc=local - Objects: users, computers, groups, policies
- LDAP runs by default on:
- Port 389 (LDAP)
- Port 636 (LDAPS β encrypted via TLS)
LDAP follows a client-server model and supports binding, authentication and queries against large directory structures.
π Use of LDAP in OT networks
- Authenticating users on SCADA, HMI, Historian and Engineering Stations via LDAP
- Linking RADIUS servers to Active Directory for centralised login
- Querying user groups in RBAC systems for access control
- Used in older systems that do not support SAML, OIDC or OAuth2
- Synchronising users between IT and OT directory services
LDAP is lightweight and broadly supported, making it ideal for compatibility with industrial software.
π LDAP vs. Active Directory
| Aspect | LDAP | Active Directory |
|---|---|---|
| What is it? | Protocol for directory access | Microsoftβs full directory service |
| Developer | IETF (open standard) | Microsoft |
| Functionality | Only directory access/queries | + Group Policy, Kerberos, DNS integration |
| Use in OT | Broadly applicable in apps with simple login | For domain-joined workstations and GPOs |
π Security considerations
- Use LDAPS (port 636) rather than plain LDAP to encrypt credentials
- Restrict LDAP access to trusted applications via Firewall or ACL
- Implement strong passwords and MFA via the linked identity systems
- Monitor LDAP queries via SIEM or directory logs
- Combine LDAP with RBAC to centrally manage roles and groups
Unencrypted LDAP is vulnerable to credential sniffing and should always be replaced with LDAPS.
π In summary
LDAP is a lightweight and powerful protocol for directory access, widely used in hybrid IT/OT environments for authentication and access management. Combined with Active Directory or other directory services, LDAP forms a reliable foundation for user management in industrial networks.