What is a Directory Service? AD, LDAP & IAM
A directory service is a centralised platform for managing identities, devices, and applications across a network. It stores data about users and resources, and handles two core functions: authentication, which verifies a user's identity, and authorisation, which determines what that user is permitted to access.
Active Directory (AD) and Entra ID are widely used directory services that help organisations secure and streamline access to their IT environments. In modern IT, a directory service is typically integrated into a broader Identity and Access Management (IAM) environment rather than deployed in isolation.
How a Directory Service Works
Directory services rely on established protocol standards to handle authentication and authorisation. LDAP (Lightweight Directory Access Protocol) is one of the most widely used. Here is how it handles each function.
Authentication
Authentication confirms that a user is who they claim to be. In LDAP, this is handled through a bind operation:
The user attempts to sign in by providing a username in the form of a Distinguished Name (DN) and a password.
LDAP checks whether the supplied credentials are correct.
If the credentials match, the user is authenticated and authorisation begins.
Authorisation
Authorisation determines what the authenticated user is permitted to do:
Permissions are defined in Access Control Lists (ACLs), which specify which users can access which network resources.
A standard employee may only view their own data.
A system administrator may create, modify, and delete user accounts across the directory.
Directory Service Protocols
LDAP is one of several open standards used within directory services. Open protocols are essential because directory services must integrate with a broad range of systems. The most commonly used protocols are:
Protocol | Full Name | Primary Use | Common In |
|---|---|---|---|
LDAP | Lightweight Directory Access Protocol | Storing and retrieving directory data; authentication and authorisation | AD, ApacheDS, IBM Security Directory |
Kerberos | Kerberos | Network authentication via encrypted tickets; enables SSO without transmitting passwords over the network | Active Directory, Unix environments |
Security Assertion Markup Language | Sharing identities across domains to support Single Sign-On (SSO) | Google Workspace, Microsoft 365 |
A note on "lightweight": LDAP was developed from the older X.500 standard, which transmitted large volumes of data and placed significant processing demands on connected devices. LDAP was designed to be efficient: minimal data transfer, low processing overhead, and fast response times. A user may query a directory service dozens of times per day without being aware of it, which makes speed a critical design requirement.
Examples of Directory Services
Several directory services are in common use across enterprise IT environments:
Directory Service | Deployment | Protocols | Best Suited For |
|---|---|---|---|
Microsoft Active Directory (AD) | On-premises | LDAP, Kerberos, SAML | Windows environments; user management and authentication |
Entra ID (formerly Azure AD) | Cloud-based | OAuth, SAML, OpenID Connect | Microsoft 365 and SaaS application access |
Red Hat Directory Server (RHDS) | On-premises | LDAP | Linux and Unix-based enterprise networks |
Apache Directory Server (ApacheDS) | Open-source | LDAP, Kerberos | Identity management in Java-based environments |
IBM Security Directory Server | Enterprise | LDAP | Large-scale directory management |
Directory Services Within an IAM Solution
A directory service handles authentication and authorisation, but it does not manage the full identity lifecycle. A modern IAM environment extends these capabilities to cover onboarding, role changes, and offboarding, as well as compliance and auditability. HelloID builds on the directory service through four dedicated modules.
Access Management
Not all directory services natively support Single Sign-On (SSO) or Multi-Factor Authentication (MFA). The HelloID Access Management module adds these capabilities, giving users secure, streamlined access across all connected applications from a single authenticated session.
Provisioning
Managing accounts and permissions directly in Active Directory or Entra ID is manageable for small teams. For organisations with hundreds or thousands of users, it quickly becomes unworkable, particularly where privacy and information security compliance is required.
The HelloID Provisioning module automates this using Attribute-Based Access Control (ABAC). HelloID queries the HR system multiple times per day, determines the correct accounts and access rights based on each person's current role, department, and location, and propagates those settings automatically to the directory service and all other connected target systems. The directory service continues to handle authentication and authorisation in the background; Provisioning ensures that every setting across every user is accurate, consistent, and auditable at scale.
Service Automation
Automated provisioning covers the majority of access requirements. Exceptions will always arise: a project may require temporary access to a shared folder, or an employee may need an additional licence for a specific tool.
Rather than routing these requests to a second-line administrator making changes directly in Active Directory, the HelloID Service Automation module allows helpdesk staff, managers, or the employees themselves to submit and approve changes through a structured self-service workflow. Changes are applied to the directory service through the same controlled, auditable process used for automated provisioning.
Governance
The HelloID Governance module ensures that all changes to accounts and access rights are traceable, and that the overall access landscape is reviewed and adjusted at regular intervals. Automated checks identify inconsistencies, close access gaps, and keep the role model current.
This embeds identity and access management fully within the Plan-Do-Check-Act cycle required by ISO 27001 and related information security standards.
Learn More About Directory Services in HelloID
To find out how HelloID integrates with directory services such as Active Directory and Entra ID, contact our team.