OpenLDAP · Active Directory · Identity infrastructure

Zero-downtime LDAP, so you can forget it's there.

LDAP specialists with 25 years inside the directory infrastructure of the country's largest enterprises. The directory is all we do.

25+
years in directories
20+
enterprise environments
0%
tolerance for downtime

The directories behind names you know

one of the world's largest quantitative trading firmsNeiman MarcusRoskilde UniversityNational Bureau of Economic ResearchThe GapMetron AviationW. L. Gore & AssociatesW. R. GraceRailincBonneville Power Administrationone of the world's largest quantitative trading firmsNeiman MarcusRoskilde UniversityNational Bureau of Economic ResearchThe GapMetron AviationW. L. Gore & AssociatesW. R. GraceRailincBonneville Power Administration

What we do

Directory work, end to end.

From a greenfield OpenLDAP build to untangling a federation that started failing in production. The full lifecycle, handled by specialists.

You're already running LDAP.

Active Directory is LDAP. Your IdP federates to a directory. The VPN, the NAS, the sudo rules, and the wifi all bind to one.

AD = LDAP + Kerberos IdP → federates to a directory VPN binds to it NAS authenticates against it sudo & SSH read it wifi (802.1X) trusts it SSSD + RFC 2307 = Linux logins printers & scanners badge-auth to it VoIP phones pull the directory vCenter & hypervisors auth to it your app stack (GitLab, Jira, Grafana) SSO-binds

One source of truth

Mail, routed by the directory.

Postfix routes from it, Dovecot authenticates against it, and in an Active Directory shop every alias already lives on the user. Addresses, routing, and mailbox lookups resolve from the same entries your logins do. One directory, not a mail config drifting out of sync beside it.

Add a person once. Their mailbox, their aliases, and their slot in everyone's address book all follow. The GAL is just an LDAP query.

Postfix
virtual_alias_maps = ldap:ldap-aliases.cf
query_filter       = (|(mail=%s)(mailLocalAddress=%s))
result_attribute   = mailRoutingAddress
Dovecot
passdb { driver = ldap }   userdb { driver = ldap }
user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
Active Directory
proxyAddresses: SMTP:tiro@ldapguys.com   # primary
proxyAddresses: smtp:m.tullius@ldapguys.com
targetAddress:  SMTP:tiro@collegium-scribarum.rom
sssd.conf
id_provider      = ldap
ldap_uri         = ldaps://ds.senate.gov.spqr
ldap_search_base = dc=senate,dc=gov,dc=spqr
ldap_schema      = rfc2307
nsswitch.conf
passwd:  files sss
group:   files sss
sudoers: files sss
SSH keys from the directory
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
# public keys live on the entry, via sshPublicKey

One login, every box

Logins, answered by the directory.

SSSD binds the Linux fleet to the same directory everything else uses. Users, groups, sudo rules, and even SSH public keys resolve over LDAP. No local /etc/passwd to drift, no per-host account sprawl to reconcile.

Onboard once, log in everywhere. Offboard once, and the keys stop working on every host at the same moment. RFC 2307 is doing the work.

FAQ

Questions we get asked.

Am I even running LDAP?

Almost certainly yes. If you run Active Directory, you run LDAP. AD speaks LDAP for directory lookups. Your VPN, wifi (802.1X), NAS, sudo rules, SSSD logins, and most app SSO all bind to a directory over LDAP, whether or not anyone calls it that.

What's the difference between Active Directory and LDAP?

LDAP is the protocol; Active Directory is a directory server that speaks it. AD is LDAP for directory reads and writes, plus Kerberos for authentication and Microsoft-specific schema and replication layered on top. OpenLDAP, by contrast, is a pure-LDAP server with no Kerberos bundled in.

Can you migrate our directory without downtime?

Yes. We run the old and new directories in parallel, replicate or sync entries across, cut over reads first and writes last, and keep a tested rollback at every step. No lost entries, no broken binds, no surprise outage.

Our directory is down right now. Can you help?

Yes. Emergency directory support is a core service: auth failing org-wide, replication split-brained, or a bind that suddenly stopped. We've seen it and we fix it fast. Email hello@ldapguys.com and say it's urgent.

Do you work with OpenLDAP, Active Directory, or both?

Both, and the integration between them. Greenfield OpenLDAP builds, established AD environments, and the sync, trust, and federation that makes the two coexist cleanly.

What does an LDAP security audit cover?

Weak and anonymous binds, cleartext (non-TLS) traffic, over-broad ACLs, stale privileged group membership, schema sprawl, and directory exposure to networks that should never reach it. You get a prioritized findings list with concrete fixes.

Is your directory done right?

One conversation with someone who's actually run directories at this scale. No sales engineer, no script, just an expert.

Talk to an expert