What is LDAP: Is it still relevant in 2026?

LDAP (Lightweight Directory Access Protocol) is a client-server protocol for reading and writing directory services over a network. Defined in RFC 4511, it gives applications a standard way to query a directory — asking questions like "does this user exist?", "what groups do they belong to?", and "what resources can they access?"

Despite being first standardized in the early 1990s, LDAP remains the backbone of enterprise identity infrastructure in 2026. Active Directory, which runs on LDAP, is still deployed at approximately 90% of organizations worldwide.

Key takeaways

LDAP is a protocol. It defines how applications query a directory — user accounts, group memberships, access rights. Active Directory implements it, but LDAP runs independently on OpenLDAP and other servers without any Microsoft software.
AD cannot function without LDAP. Every non-Windows system that authenticates against Active Directory does so over LDAP. Remove it, and AD loses the ability to serve third-party applications, network devices, and Linux infrastructure.
Port 389 is not acceptable in production. Standard LDAP transmits credentials in plaintext. LDAPS on port 636 encrypts the entire session. Microsoft has been enforcing signing and channel binding requirements since 2020.
Two critical vulnerabilities were patched in 2025. CVE-2025-26663 allows unauthenticated remote code execution on domain controllers via a memory flaw in the Windows LDAP service. CVE-2025-54918 bypasses channel binding and signing protections through NTLM relay. Both have patches — unpatched domain controllers are the highest-priority remediation item.
LDAP and modern protocols are not alternatives. SAML handles browser-based SSO. OAuth handles API authorization. LDAP handles directory lookups for systems that speak neither. Most enterprise environments run all three simultaneously.
Manual access management creates gaps. When AD group changes don't propagate automatically to dependent systems, accounts stay active longer than they should. Synchronizing credential access to directory group membership eliminates that lag.

Understanding LDAP: The basics

LDAP is a standard protocol for accessing and managing distributed directory information services. It operates on a hierarchical data model derived from the X.500 standard and allows clients to authenticate users, look up attributes, and retrieve group memberships from a central directory. Organizations use it to answer one fundamental question at scale: who is allowed to do what, and where?

The data LDAP organizes sits in a Directory Information Tree (DIT) — a hierarchical structure of entries, each identified by a Distinguished Name (DN). A typical DN looks like this:

Copycn=jane.doe,ou=engineering,dc=company,dc=com

Each entry holds attributes: a user entry might contain mail, uid, memberOf, and userPassword. Applications query these attributes to make authentication and authorization decisions.

How does LDAP work? (client-server model)

An LDAP client sends a request to an LDAP server (called a Directory System Agent, or DSA). The server processes the operation against its directory database and returns a response. Core operations defined in RFC 4511 include:

Bind — authenticate a client to the directory
Search — query entries matching a filter
Compare — check whether an entry has a specific attribute value
Modify / Add / Delete — write operations on directory entries
Unbind — terminate the session

The bind operation is where authentication happens. A client sends a DN and credentials. The server validates them and either grants or denies the session. Most enterprise applications use LDAP bind to verify user identity before granting access.

LDAP port 389 vs. LDAPS port 636

Standard LDAP runs on TCP port 389 and transmits data in plaintext. That means credentials, including passwords, travel across the network unencrypted. In any environment where network traffic could be intercepted (which is every environment) this is unacceptable.

LDAPS (LDAP over SSL/TLS) runs on TCP port 636 and wraps the entire LDAP session in TLS, encrypting all traffic including bind credentials. A third option, StartTLS, upgrades an existing port 389 connection to TLS mid-session, but it introduces negotiation complexity and is more error-prone to configure correctly.

	LDAP (port 389)	LDAPS (port 636)
Transport	Plaintext TCP	TLS-encrypted TCP
Credentials in transit	Exposed	Encrypted
Certificate required	No	Yes
Susceptible to MITM	Yes	No (with valid cert)
NTLM relay risk	High	Reduced (with channel binding)
Microsoft enforcement	Deprecated for production	Required (ADV190023)
Use in production	No	Yes
StartTLS alternative	Port 389 + STARTTLS upgrade	N/A

Microsoft has been progressively mandating LDAP channel binding and LDAP signing since 2020, with enforcement tightened in subsequent Windows Server updates. Running unencrypted LDAP on port 389 in production is a security gap. Port 636 is the correct default.

What is TCP port 389?

TCP Port 389 — the standard unencrypted port used for LDAP (Lightweight Directory Access Protocol) communications. It enables directory services to query and manage user information, authentication credentials, and organizational data on LDAP servers without encryption. Commonly used in enterprise environments for directory lookups, but transmits data in plaintext, making it less secure than encrypted alternatives.

What is TCP port 636?

TCP Port 636 — the standard port for LDAPS (LDAP over SSL/TLS), which is LDAP communication encrypted with SSL/TLS security protocols. It provides secure, encrypted connections for directory service queries and authentication, protecting sensitive data from interception. This port is preferred over port 389 in security-conscious environments and is commonly used in enterprise directory services like Active Directory.

What is SSL/TLS?

SSL/TLS (Secure Sockets Layer / Transport Layer Security) — cryptographic protocols that establish secure, encrypted connections between clients and servers over networks. SSL is the older protocol (now deprecated), while TLS is its modern successor. They provide authentication, encryption, and data integrity for sensitive communications like HTTPS, email, and directory services. TLS uses digital certificates to verify server identity and encrypts all transmitted data to prevent eavesdropping.

What is StartTLS?

StartTLS — a protocol extension that upgrades an existing unencrypted connection to an encrypted one using TLS encryption. Instead of requiring a separate secure port, StartTLS allows a client to connect on a standard port (like LDAP port 389 or SMTP port 25) and then issue a STARTTLS command to upgrade the connection to encryption. This provides flexibility by supporting both encrypted and unencrypted modes on the same port, though it requires server support and is less secure than dedicated encrypted ports like LDAPS (port 636).

LDAP vs. Active Directory: What's the difference?

Active Directory (AD) is not a replacement for LDAP — it is a directory service that uses LDAP as one of its access protocols. Conflating the two is one of the most common misconceptions in enterprise IT. The dependency only runs one way: LDAP stands alone, AD does not.

Can you run LDAP without AD?

Yes. LDAP is a protocol — it defines how a client asks a directory server for information and how that server responds. You can deploy it independently of any Microsoft software.

OpenLDAP is the most widely used open-source implementation. 389 Directory Server and Apache Directory Server are common alternatives. These standalone servers store user identities and group memberships and serve them to Linux/Unix systems, mail servers, and custom applications.

Can you run AD without LDAP?

No. Active Directory is a full directory service built by Microsoft on top of the X.500 data model. Domain controllers use LDAP internally to read, write, and replicate directory data: users, computers, group policies. Any third-party application or non-Windows machine that authenticates against AD does so by speaking LDAP to it.

Remove LDAP, and AD cannot communicate with the rest of your infrastructure.

How they relate in practice

Type	LDAP	Active Directory
Type	Open protocol (RFC 4511)	Proprietary directory service
Vendor	IETF standard	Microsoft
Primary auth method	Simple bind, SASL	Kerberos (Windows), LDAP bind (everything else)
Platform	Cross-platform	Windows Server
Runs independently	Yes	No — requires LDAP
Common implementations	OpenLDAP, 389 Directory Server, Apache DS	Active Directory Domain Services

When a Linux server authenticates against Active Directory, it speaks LDAP. When a Windows workstation logs in, it uses Kerberos. AD supports both — but LDAP is what makes AD accessible to the rest of your infrastructure.

Modern alternatives: LDAP vs. SAML, OAuth, and OpenID Connect

LDAP was designed for internal network authentication — querying a directory inside a corporate perimeter. The protocols that followed it were designed for a different world: federated identity across organizational boundaries, web applications, and mobile clients.

Protocol	Primary use case	Transport	Credential exposure
LDAP	Internal directory queries	TCP (port 389/636)	Credentials sent to server
SAML	Federated SSO (enterprise web apps)	HTTP/XML	Credentials stay at IdP
OAuth 2.0	Delegated authorization (API access)	HTTPS	No credentials exchanged
OpenID Connect	Federated authentication on top of OAuth	HTTPS	No credentials exchanged

These protocols do not replace LDAP — they operate at a different layer. SAML and OpenID Connect handle browser-based SSO. LDAP handles directory lookups and application authentication for systems that cannot speak SAML. Most enterprise environments run all of them simultaneously.

Is LDAP still relevant in 2026? (the hybrid cloud reality)

LDAP is still the dominant enterprise authentication protocol, present in approximately 90% of organizations worldwide through their Active Directory deployments. Cloud adoption has not changed this.

Most enterprises are not fully cloud-native. They run a hybrid model: some workloads in Azure or AWS, others on-premises, with Active Directory as the identity anchor for both. Microsoft Entra ID (formerly Azure AD) connects to on-premises AD through synchronization, but the on-premises AD (and therefore LDAP) remains the authoritative source for many identity decisions.

The role of LDAP in zero trust architecture

Zero trust requires continuous verification: every access request must be authenticated and authorized, regardless of network location. LDAP sits at a critical junction in this model because it is often the system that answers those verification requests.

The challenge is that LDAP was not designed with zero trust principles in mind. It assumes network adjacency, uses persistent connections, and in its unencrypted form exposes credentials in transit. Fitting LDAP into a zero trust architecture requires compensating controls:

mandatory LDAPS
strict firewall rules
limiting which systems can reach port 636
LDAP signing enforcement
monitoring of bind attempts for anomalous patterns

LDAP does not break zero trust but it requires deliberate hardening to support it. Organizations that treat LDAP as a legacy component and leave it unconfigured are creating exactly the kind of implicit trust that zero trust is designed to eliminate.

DevOps and CI/CD secrets management

Automated pipelines present a specific LDAP challenge. CI/CD systems (Jenkins, GitLab CI, GitHub Actions runners) often need to authenticate against LDAP to access internal resources. That authentication typically involves a service account: a dedicated LDAP bind DN with a static password.

Static service account credentials are a persistent risk. They rarely rotate, they are often shared across pipelines, and when they appear in build logs or configuration files, they are difficult to detect and revoke. The answer is to manage these credentials through a dedicated secrets manager rather than hardcoding them in pipeline configuration.

Passwork's CLI tools and REST API let DevOps teams pull service account credentials at runtime rather than storing them in pipeline configs. Permissions inherit from AD groups, so access stays synchronized with your directory without manual intervention. Start your free trial today and test it on your infrastructure

Critical LDAP security risks in 2026

LDAP is not just a legacy protocol with theoretical risks. It is an active attack surface with documented, exploited vulnerabilities.

The threat of credential theft and ransomware

According to IBM's X-Force Threat Intelligence Index 2026, credential harvesting was the most common attack impact observed in 2025. Threat actors harvested login data via phishing and infostealers, then blended into normal authentication flows to move laterally. LDAP service account credentials fit this pattern precisely: reused across applications, rarely rotated, and almost never monitored for anomalous bind activity.

The attack chain is well-documented: compromise an LDAP credential through phishing or password spraying, use it to enumerate the directory, identify privileged accounts, and escalate. Microsoft's Digital Defense Report has consistently linked AD/LDAP credential compromise to ransomware deployment. The directory is a map of the entire organization's access structure, and attackers read it before they act.

Recent vulnerabilities: CVE-2025-26663 and CVE-2025-54918

Two critical vulnerabilities disclosed in 2025 demonstrate that LDAP's attack surface is actively expanding.

CVE-2025-26663 is a use-after-free remote code execution vulnerability in Windows LDAP, disclosed in April 2025. An attacker can exploit a memory management flaw in the Windows LDAP service (specifically in wldap32.dll) to execute arbitrary code on a target server without valid credentials.

The attack requires only network access to the LDAP service. Domain controllers, which expose LDAP by design, are the primary targets. Unpatched domain controllers running this vulnerability are effectively open to unauthenticated Remote Code Execution (RCE) from any system that can reach port 389 or 636.

CVE-2025-54918, disclosed in September 2025, is a privilege escalation vulnerability that combines NT LAN Manager relay with coerced authentication to bypass LDAP channel binding and signing protections. An attacker with a low-privileged domain account can coerce a domain controller into authenticating to an attacker-controlled system, manipulate the NTLM authentication packets in transit, and relay the modified authentication back to the domain controller — achieving SYSTEM-level access. The attack is particularly dangerous because it bypasses controls that organizations commonly rely on as hardening measures.

⚠️

Both vulnerabilities have patches available. If your domain controllers have not received April 2025 and subsequent Windows security updates, patching is the immediate priority.

Best practices for securing LDAP in the enterprise

The following checklist covers the minimum controls for a production LDAP deployment. These are recommendations that address a specific, documented attack vector.

Enforce LDAPS on port 636. Disable plaintext LDAP on port 389 for all production traffic. Configure TLS certificates from your internal CA or a trusted public CA.
Enable LDAP signing and channel binding. Prevents relay attacks. Required for CVE-2025-54918 mitigation — though note that CVE-2025-54918 bypasses these controls on unpatched systems, so patching is still mandatory.
Apply all Windows security updates. CVE-2025-26663 and CVE-2025-54918 both have patches. Unpatched domain controllers are the highest-priority remediation item.
Restrict LDAP access by IP. Only systems that legitimately need to query LDAP should be able to reach port 636. Firewall rules should enforce this, not just network segmentation assumptions.
Audit service account credentials. Identify every bind DN in use across your environment. Rotate passwords on a schedule. Remove accounts that are no longer needed.
Monitor bind attempts. Unusual bind patterns — repeated failures, binds from unexpected source IPs, binds at unusual hours — are early indicators of credential stuffing or lateral movement.
Disable anonymous LDAP binds. Anonymous queries allow unauthenticated enumeration of directory contents. Most modern deployments have no legitimate use for anonymous binds.
Separate service accounts by function. A service account used by a VPN should not have the same permissions as one used by a backup system. Least privilege applies to LDAP bind accounts too.

Streamlining enterprise access with Passwork LDAP integration

The operational burden of LDAP-based access management compounds over time. Users change teams, join projects, and leave the organization and each transition requires access changes across multiple systems. When those changes are manual, they lag. Accounts stay active longer than they should. Credentials accumulate in places no one is tracking.

Passwork connects directly to Active Directory or any LDAP-compatible directory and maps group membership to vault access automatically:

Add a user to the SRE group in AD — the correct credentials appear in their Passwork vault, no separate admin action required
Remove them from the group — access is revoked
The directory stays the single source of truth for who has access to what

For self-hosted environments, Passwork deploys entirely within your own perimeter. Credentials never leave it. SAML SSO is supported alongside LDAP, so teams using both protocols for different application layers don't need to rebuild their identity architecture.

Every read, write, share, and export is recorded in the audit log — relevant both for internal security reviews and for demonstrating compliance with SOC 2 CC6.1 and GDPR Article 32.

Conclusion

LDAP is not going away. The directory software market was valued at $8.4 billion in 2025 and is projected to reach $19.7 billion by 2034, according to Dataintelo's market research — a figure that reflects continued enterprise investment in directory infrastructure, not a technology in decline. With 90% of enterprises still running Active Directory, LDAP remains the connective tissue of corporate identity management.

What has changed is the threat environment. CVE-2025-26663 and CVE-2025-54918 are actively patched vulnerabilities targeting the LDAP services your domain controllers expose right now.

The practical action is straightforward: enforce LDAPS, patch your domain controllers, audit your service account credentials, and make sure access changes in your directory propagate automatically to the systems that depend on it. Manual access management at the scale most enterprises operate is where gaps appear.

Passwork integrates with Active Directory and LDAP to keep credential access synchronized with your directory groups — automatically, without custom scripts. Self-hosted, AES-256 encrypted, ISO 27001, with a full audit trail. Try it in your infrastructure

Frequently asked questions about LDAP

What is LDAP used for?

LDAP is used to authenticate users and look up directory information — group memberships, email addresses, account attributes — across enterprise applications. Common use cases include VPN authentication, email server user lookup, application SSO, and centralized user management. Most enterprise applications that need to verify identity against a corporate directory use LDAP.

What is the difference between LDAP and Active Directory?

LDAP is an open protocol (RFC 4511) for accessing directory services. Active Directory is Microsoft's directory service, which uses LDAP as one of its access protocols. AD also uses Kerberos for Windows authentication. You can use LDAP without Active Directory (via OpenLDAP, for example), but Active Directory relies on LDAP to serve directory queries to non-Windows applications.

What is LDAPS and why does it matter?

LDAPS is LDAP over TLS, running on port 636. Standard LDAP on port 389 transmits credentials in plaintext, making them visible to anyone who can intercept network traffic. LDAPS encrypts the entire session. In 2026, running unencrypted LDAP in production is indefensible — Microsoft has been enforcing LDAP signing and channel binding requirements since 2020, and both CVE-2025-26663 and CVE-2025-54918 target LDAP services directly.

Is LDAP still used in 2026?

Yes. Active Directory, which relies on LDAP, is deployed at approximately 90% of enterprises worldwide. Cloud adoption has not displaced it — most organizations run hybrid environments where on-premises AD remains the authoritative identity source. LDAP is also embedded in thousands of applications that authenticate against enterprise directories and will not be replaced by SAML or OAuth without significant re-engineering.

How does LDAP fit into a zero trust architecture?

LDAP can support zero trust if hardened correctly. Zero trust requires continuous verification of every access request, and LDAP is often the system answering those requests. The requirements: enforce LDAPS (port 636), enable signing and channel binding, restrict directory access by source IP, monitor bind attempts, and rotate service account credentials regularly. LDAP's default configuration is not zero trust-compatible — but the protocol itself is not the obstacle.

What are the main security risks with LDAP?

The primary risks are credential exposure over unencrypted connections (port 389), service account credential theft, NTLM relay attacks (CVE-2025-54918), and unauthenticated RCE via memory corruption vulnerabilities (CVE-2025-26663). IBM's X-Force Threat Intelligence Index 2025 found that identity-based attacks — many targeting directory credentials — accounted for 30% of all intrusions in 2024. Patching, LDAPS enforcement, and service account hygiene address the majority of these risks.

Can LDAP be replaced by SAML or OAuth?

Not entirely. SAML and OAuth handle browser-based federated authentication and API authorization respectively. LDAP handles directory lookups and application authentication for systems that cannot speak SAML. Most enterprise environments run all three protocols for different layers of their application stack. The question is not which to choose — it is which applications require LDAP and whether those connections are secured properly.