LDAP vs MySQL for Usernames and Passwords

Privilege Separation Principle

This is a classic case where isolation of your content database from your user database provides a security advantage.

  • The Application Server knows the users password for the short time until it is compared against the password in the LDAP Server, where it is discarded and only the session and username information is kept for the life of the users session.
  • The LDAP Server validates the password and delivers the user information to the app server.
  • The Content Database has less critical information accessed through the app server.

The LDAP Server is not more secure, but it has a limited purpose, and thus the surface area for attack is much lower, as opposed to the typical user table stored in a content database which can be retrieved directly in the case of a injection exploit.

The LDAP Server and the Content Database are hidden (in some architectures) by the Application Server so that direct access is not required and only pass through attacks are possible, further reducing the possibility of compromise.

These multiple services do introduce a complexity that has costs and issues, but they constitute a pattern that encourages/forces the designer/developer to keep separate these specific accountabilities/concerns rather than collapsing the implementation into an insecure system.

Another way of thinking about it is that mistakes are always made when designing / developing / deploying a system, and without this separation of accountabilities, mistakes made in one domain can bleed into and compromise the other domains.

Note: Through a quick reading of the LDAP protocol, a password is a field in the LDAP database, so if that field is hashed (best practice) then the LDAP database doesn't need to know the plaintext password, and as a commenter notes there are special API's for avoiding issues with password authentication.


I'm not sure I agree that "LDAP databases are more secure". After all, an LDAP server is basically a database server, with exactly the same security risks. LDAP is nice if you have the needs (software that can authenticate against LDAP, etcetera) and tooling, but security wise I don't see a difference between using LDAP and MySQL (given that you don't do stupid things like cleartext passwords or unsalted hashes).