LDAP & Identity — Trivia & Interesting Facts¶
Surprising, historical, and little-known facts about LDAP and identity management.
LDAP was created as a lightweight alternative to a 500-page ISO standard¶
LDAP (Lightweight Directory Access Protocol) was developed in 1993 at the University of Michigan as a simpler front-end to X.500 Directory Access Protocol (DAP). X.500 required the full OSI protocol stack and was so complex that few organizations could implement it. Tim Howes, Steve Kille, and Colin Robbins stripped it down to run over TCP/IP.
Microsoft bet the entire Windows 2000 architecture on LDAP¶
Active Directory, released with Windows 2000 in February 2000, was Microsoft's biggest architectural gamble in years. The entire domain model was rebuilt around LDAP, replacing the flat SAM database used since Windows NT 3.1 in 1993. The migration path was so complex that many enterprises delayed adoption for 3-5 years.
The DN format reads backwards compared to DNS on purpose¶
LDAP Distinguished Names like cn=jdoe,ou=users,dc=example,dc=com read from most-specific to least-specific (left to right), which is the opposite of DNS. This was inherited from X.500, which followed the postal address convention — you write a person's name before their city and country.
OpenLDAP's slapd has been running since 1998 with essentially the same wire protocol¶
The core LDAPv3 protocol (RFC 2251, later RFC 4511) has remained remarkably stable since 1997. OpenLDAP's slapd daemon, first released in 1998, can still communicate with modern LDAP clients using the same binary encoding (ASN.1 BER) defined nearly three decades ago.
Anonymous LDAP binds once exposed millions of corporate directories¶
In the early 2000s, many organizations left anonymous bind enabled on their LDAP servers, allowing anyone on the network to enumerate all users, email addresses, phone numbers, and organizational structures. Penetration testers routinely found entire corporate org charts exposed this way.
Kerberos tickets were named after the three-headed dog of Greek mythology¶
The Kerberos authentication protocol, often paired with LDAP in enterprise environments, was developed at MIT in the 1980s. It was named after Cerberus, the three-headed dog guarding the entrance to Hades, because the protocol involves three parties: the client, the server, and the Key Distribution Center (KDC).
LDAP injection attacks work almost exactly like SQL injection¶
Because LDAP uses a text-based filter syntax like (&(uid=user)(password=pass)), attackers can inject wildcards and logical operators just like SQL injection. A classic attack uses *)(uid=*))(|(uid=* to bypass authentication filters. Despite being documented since 2004, LDAP injection remains in the OWASP Top 10 under injection flaws.
The largest Active Directory forests contain over 2 billion objects¶
Microsoft's own internal Active Directory forest reportedly contains hundreds of millions of objects. Some global enterprises with extensive group policies, computer objects, and service accounts have forests exceeding 2 billion objects, requiring specialized replication topologies and multi-master configurations spanning dozens of domain controllers.
SAML was almost killed by a single XML vulnerability class¶
SAML (Security Assertion Markup Language), the dominant enterprise SSO protocol built on top of identity stores like LDAP, suffered from XML Signature Wrapping attacks discovered in 2012. Researchers showed they could forge authentication assertions for any user in systems from 11 out of 14 tested identity providers. The vulnerability class was so fundamental that it nearly derailed enterprise SSO adoption.
FreeIPA bundles four separate open-source projects into one identity platform¶
Red Hat's FreeIPA combines MIT Kerberos, OpenLDAP (later 389 Directory Server), BIND DNS, and Dogtag Certificate Authority into a single integrated identity management system. The name "IPA" stands for Identity, Policy, Audit — and the project was started because no single open-source tool covered all three.