LDAP is just a database /database protocol, like MySQL. Active directory manages everything you put in the domain containers, like users, passwords, keys, printers, file volumes, applications…. AD manages the data and runs on the domain servers and stores everything on LDAP. The security risks are high, but as long as you don’t expose your network to the world you should be more safe. The things that can go wrong is basically everything: if your security is not good enough, your domains email addresses, usernames, passwords, and basically everything on active directory can be cracked, then those user / password combinations can be used to leverage more data on other services. If you aren’t patched and don’t lock down your network, that is the worst that can happen

LDAP is a sort of database, only unlike most databases people are familiar with it’s hierarchical, meaning it stores data in a structure that looks like a [tree](https://docs.geoserver.org/2.19.x/en/user/_images/acme_ldap.png). It’s very often used for user accounts.

For instance, LDAP can very comfortably handle the case of handling multiple organizations, departments, groups and so on in the same database, and having different rules apply to different levels. In something like MySQL there tends to be a single rule about whether table “employees” can be modified or not. Either you can’t, or you can do anything you like. Under LDAP you can easily have say, Bob Manager be able to add accounts to his own department, but not somebody else’s.

LDAP by its nature tends to be critical for security, because it can define who can do what for the entire organization.

Active Directory is Microsoft’s specific implementation of a LDAP server, with Microsoft’s own additions.