Last Tested: Jun 24, 2019
LDAP is a language with which you can speak to an Active Directory (AD). An AD has information regarding the user, much like a no-SQL database (though it is distinctly different). LDAP talks with the Active Directory – LDAP is a set of guidelines to send and receive information (like usernames and passwords) to an Active Directory. LDAP is an open standard protocol, meaning it’s a standardized language that most applications can understand and speak with.
It's Ubiquitous in Larger Companies:
LDAP is a critical component of most large enterprises and Internet-scale companies already, so using it with Looker just makes sense - they’ve got this Active Directory set up already, and using it to auth into looker fits with how they use other SAAS products. Also, LDAP isn’t only used for authentication, it also allows IT departments to gather information on users and change permissions on a group level. Great use case of that here: https://stackoverflow.com/questions/22899946/ldap-vs-saml-authorization
LDAP messages are encoded with ASN.1 BER, which is a compact binary format that is very efficient to encode and decode. It’s much more streamlined than something like JSON or XML over HTTP. That is, the login process for LDAP is faster than for SAML (which uses XML). LDAP also uses persistent connections for communicating with a directory server. Whereas many modern HTTP-based protocols use relatively short-lived connections, LDAP connections can live for hours or days or even longer.
ADs by design have very strong security measures since they’re built to house sensitive information like usernames and passwords. Furthermore, whereas a lot of SQL-based and NoSQL-based applications tend to use a single account for all interaction with the data store, LDAP applications typically perform operations as the end user, allowing for very granular control over what information is available to a user (think access grants using user attributes vs general model permissions in looker). NOTE: the packets sent and received by LDAP are readable, so when we are talking about using LDAP with Looker, we are actually talking about LDAP encrypted with TLS, instead of pure LDAP.
Unlike SAML or OAuth, LDAP does require a username and password, so in this way, it is less seamless than SAML or Google OAuth. It also requires a lot more maintenance (requires a DBA).
Sources / Additional Reading: