Top LDAP Interview Questions and Answers (2024)

1. What is LDAP?

2. How does LDAP work?

3. Can you do SSO with LDAP?

4. What is Distinguished name (DN) and Relative distinguished name (RDN)?

5. What Is Active Directory?

6. Does LDAP support SAML?

7. What security features are available in Active Directory?

8. Is LDAP a database?

9. How to Search LDAP using ldapsearch?

10. What is LDAP Authentication for Active Directory?

11. Where are LDAP passwords stored?

12. How to Search LDAP with an Admin account?

13. How to find all objects in the directory tree in LDAP?

14. How to Find user accounts using ldapsearch in LDAP?

15. How do I connect to a LDAP server remotely?

16. What is LDAP SonarQube?

17. Which open source tools are available for Oauth 2.0 /SAML/ OpenID Connect based SSO?

Q: What is LDAP?
Ans:

Directories are where businesses keep usernames, passwords, email addresses, printer connections, and other static data. For accessing and maintaining that data, Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral application protocol. LDAP can also handle authentication, allowing users to sign on once and access multiple files on the server.

Q: How does LDAP work?
Ans:

The Lightweight Directory Access Protocol, or LDAP, is a TCP/IP-based application protocol for querying and modifying directory services. A directory is a collection of objects with similar attributes that are organised logically and hierarchically.

Suppose anyone in your workplace would like to do two things: Send an email to a new employee, and then print a copy of the conversation on a new printer. Both of these steps are made possible by LDAP (lightweight directory access protocol).

An LDAP query usually includes the following steps:

• Session connection: The user establishes a connection to the server using an LDAP port.
• Request: The user sends a query to the server, such as an email lookup.
• Response: The LDAP protocol searches the directory for information and returns it to the user.
• Completion: The user disconnects from the LDAP port at the end.

The LDAP must authenticate the user before any search can begin. There are two approaches to this work:

• Simple: Using the correct user name and password, the user is connected to the server.
• SASL (Simple Authentication and Security Layer): Before the user can connect, a secondary service, such as Kerberos, performs authentication. This can be a good option for businesses that require advanced security.

Q: Can we do SSO with LDAP?
Ans:

Yes, when we combine SSO and LDAP, we get the security and ease-of-use of SSO with the benefits of utilising our existing LDAP directory structure for user management.

Q: What is Distinguished name (DN) and Relative distinguished name (RDN)?
Ans:

Distinguished name (DN): A unique identifier for each entry which describes its location in the information tree.

Relative distinguished name (RDN): This is a technique of linking DNs while specifying their relative location.

An LDAP DN is made up of zero or more relatively distinguished names (RDNs). Each RDN is made up of one or more attribute-value pairs (usually just one).
For example, "uid=miley.brown" denotes an RDN with an attribute named "uid" and a value of "miley.brown".

Q: What Is Active Directory?
Ans:

Active Directory is a Microsoft product that is used to organise information technology assets such as users, computers, and printers.
The active directory centralises information about all the people, computers, and other assets in the organisation. Also it stores credentials (such as your username and password) in order to authenticate you to all of the applications you are using.

Active Directory categorises assets into three tiers.

1. Domains: Domains are made up of Users(employees) and devices (such as computers) that share the same Active Directory database. A domain, such as "Engineering Domain," is usually associated with a company or an organisation within a company.
2. Trees: Trees describe trust between domains, determining who can access what in different parts of an organisation, and allowing IT administrators to manage their own community of users and devices.

Each of these levels does have its own set of access and communication privileges.


3. Forests: Domains are grouped into forests for large organisations or intercompany relationships. Inter-forest trust is typically formed after one company acquires another. Employees from both organisations must have access to the resources of the other.

Q: Does LDAP support SAML?
Ans:

LDAP and SAML are two separate protocols. One does not "support" the other. Both LDAP and SAML 2.0 are supported by Microsoft's Active Directory Federation Services (ADFS).

In fact, the primary goal of LDAP is to make on-premise authentication and other server procedures easier. Whereas, SAML allows users to utilise their credentials in the cloud and on other websites. They serve the same purpose: helping users in connecting to their IT resources.

Q: What security features are available in Active Directory?
Ans:

Active Directory has security features such as:

• Authentication: Users would need to provide the correct credentials before they could access network resources.
• Security groups: IT administrators divide users into groups for security reasons. To reduce administration, the groups are then assigned to apps.
• Group policy: Active Directory contains a large number of policies that describe who would access computers remotely or configure browser security settings.

Q: Is LDAP a database?
Ans:

Yes, LDAP (Lightweight Directory Access Protocol) is a TCP/IP protocol. It's being used to connect to directory services such as Microsoft's Active Directory and Sun's ONE Directory Server. A directory service is a database or data store, but it is not always a relational database.

Q: How to Search LDAP using ldapsearch?
Ans:

The simplest way to find LDAP is using ldapsearch with the "-x" option for simple authentication and the "-b" option to describe the search base.

When you're not running the search directly on the LDAP server, you must use the "-H" option to specify the host.

$ ldapsearch -x -b <search_base> -H <ldap_host>

You will be able to perform an LDAP search query without binding to the admin account if your server accepts anonymous authentication.

$ ldapsearch -x -b "dc=techgeeknext,dc=com" -H ldap://192.168.178.29

Q: What is LDAP Authentication for Active Directory?
Ans:

Directory services, like Active Directory, store user and account information, as well as security information such as passwords, and then allow the data to be shared with other network devices. LDAP is a means of "communicating" to Active Directory and sending messages between AD and other parts of your IT environment.

Mainly, you should configure LDAP in order to authenticate credentials against Active Directory. The "BIND" operation is being used to configure the authentication state for an LDAP session where an LDAP client connects to a server.

LDAP provides two options to perform authentication:

1. Simple authentication: It consists of three strategies: anonymous authentication, unauthenticated authentication and name/password authentication
In most of the cases, simple authentication entails sending a BIND request to the server and entering a name and password.
2. SASL authentication: The SASL (Simple Authentication and Security Layer) framework binds to the LDAP server using another authentication service, such as Kerberos, and then utilises the authentication service to authenticate. This can improve security by separating authentication methods from application protocols, which helps make the directory less vulnerable in general. All LDAP authentication messages are sent in plain text by default, which could also expose LDAP authentication processes to security risks. To avoid this, use a security measure like encryption with TLS, or Transport Layer Security.

Q: Where are LDAP passwords stored?
Ans:

LDAP passwords are normally stored in the userPassword attribute. According to RFC4519, passwords are not stored in encrypted (or hashed) format. This enables the use of a wide range of password-based authentication mechanisms, such as DIGEST-MD5. In addition, this is the most interoperable storage scheme.

Q: How to Search LDAP with an Admin account?
Ans:

To lookup LDAP with the admin account, run the "ldapsearch" query with the "-D" option for the bind DN and the "-W" option to be triggered for the password.

$ ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W

You may also be exposed to user encrypted passwords if you run an LDAP search as the administrator account, so make sure you run your query privately.

As an example, suppose your administrator account has the distinguished name "cn=admin,dc=techgeeknext,dc=com".

$ ldapsearch -x -b "dc=techgeeknext,dc=com" -H ldap://192.168.178.29 -D "cn=admin,dc=techgeeknext,dc=com" -W

Q: How to find all objects in the directory tree in LDAP?
Ans:

To return all objects in your LDAP tree, append the "objectclass" filter and a wildcard character "*" to define that you'd like to return all objects.

When we run this query, will get all of the objects and attributes in the tree.

$ ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=*"

Q: How to Find user accounts using ldapsearch in LDAP?
Ans:

Suppose , we would like to find all user accounts in the LDAP directory tree.
By default, the below query returns all available attributes for the provided object class.

$ ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=account"

Q: How do I connect to a LDAP server remotely?
Ans:

For authentication and authorization, the ExtraHop system supports the Lightweight Directory Access Protocol (LDAP). You can configure your ExtraHop system to authenticate users remotely with an existing LDAP server rather than storing user credentials locally. It is important to note that ExtraHop LDAP authentication only searches for user accounts; it does not search for any other entities in the LDAP directory.

1. Sign in to the ExtraHop system's Administration settings at https:///admin.
2. Click Remote Authentication in the Access Settings section -> Select LDAP-> Continue.
3. LDAP Settings page
• Provide hostname or IP address of the LDAP server
• Provide DNS entry of the ExtraHop system
• Select Posix or Active Directory from the drop-down list
• Select one of the encryption options (None,LDAPS,StartTLS)
• Select Validate SSL Certificates to allow for certificate validation
4. Provide base DN in the Base DN field - The Base DN is the place for a server to search for users.
5. Provide Search Filter - It defines search criteria when searching the LDAP directory for user accounts.
6. Select Search Scope option (Whole subtree, Single level:) from the drop-down list
7. Click Test Settings-> Save & Continue -> Next would be to Configure user privileges for remote authentication

Q: What is LDAP SonarQube?
Ans:

You can configure SonarQube authentication and authorization to an LDAP server (including Active Directory's LDAP Service) through configuring the appropriate values in your $SONARQUBE HOME/conf/sonar. properties file. The main features are Automatic synchronisation of user and group relationships (authorization).

Q: Which open source tools are available for Oauth 2.0 /SAML/ OpenID Connect based SSO?
Ans:

Keycloak is a modern application and service-oriented open source Identity and Access Management system. Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console are some of the features offered by Keycloak.

It works with a variety of protocols, including Oauth 2.0, SAML 2.0 and OpenID Connect. User credentials can also be stored locally or via an LDAP or Kerberos backend.

When a user logs in successfully with Keycloak, they are given a token, which is saved as a cookie in the browser, and they are automatically sent back to the service they were trying to access. This token usually includes a username as well as information about the user's permissions.

Refer Spring Boot Keycloak SSO Example to understand it's implementation.