0) it's enormous: both as an implemented application and as a protocol and specification. Complexity is the enemy of security.
1) it widens your network footprint and isn't hardened against modern attacks (all LDAP directories that I'm aware of also have a regrettable history a la bugtraq/cert). (even without bringing krb5 into the picture)
2) it is complex and allows schema/ACL changes to expose attributes in non-obvious ways
3) no commercially available LDAP implementation natively encrypts all data
5) A centrally managed directory represents a very rich target for the secrets it contains
6) particularly when used as an authentication backend, it also presents a nice DoS target. (I have personal experience from a previous life..) :(
7) An LDAP server exposed to a LAN is rapidly (today) approaching being exposed to the Internet as VPN connections join multiple clouds and formerly internal datacenters, for anything but the tiniest of network footprints.
Obviously many of these concerns can be somewhat mitigated but my strong personal opinion is that the size and complexity of LDAP makes it its own worst enemy. With that said, there's no real replacement for it, right?
With regards to things like SSO and SAML2, oauth (which also has its own share of problems due to the same problems of size and complexity) is beginning to make the need for an enterprise-wide directory moot, but this will obviously take time.
Not to mention - implementation to integrate with something like FreeIPA or similar is just unmitigated pain, both up front (i.e., if you want to run it somewhere like AWS without control over reverse DNS) or on each node (I've written PAM modules before and I still think making PAM changes is a big pain and not without significant risk.)
Regarding insecurity: I don't give much credence to a "history of serious problems". Any (and I do mean any) application which deals with arbitrary input and data types has had a history of particularly nasty security holes.
You'd eliminate every major web browser here too. I see a large number of CVEs as a good thing, as that means there are eyes on the code and the exploits are getting found and fixed. The alternative is worse; it means there are bugs and they aren't being found.
Survivor bias :)
Regarding complexity: Security/authentication tools are complex, and they kind of have to be given the number of requirements, ciphers, data types, etc. There is no solution to this problem.
Regarding attack targeting: Any repository used for authentication will be a DoS/hacking target. Again, it's nature of the beast, it's a high value target and always will be.
Regarding SSO/SAML/oauth: Those have to authenticate against something, yes? What is that "something" in this case that makes it a true alternative?
LDAP is insecure: it has a long history of serious problems. (for example, https://www.cvedetails.com/vulnerability-list/vendor_id-439/... ) (389ds and IPA are all based on the slapd OpenLDAP code.)
0) it's enormous: both as an implemented application and as a protocol and specification. Complexity is the enemy of security.
1) it widens your network footprint and isn't hardened against modern attacks (all LDAP directories that I'm aware of also have a regrettable history a la bugtraq/cert). (even without bringing krb5 into the picture)
2) it is complex and allows schema/ACL changes to expose attributes in non-obvious ways
3) no commercially available LDAP implementation natively encrypts all data
4) ouch, LDAP injection (https://www.owasp.org/index.php/LDAP_injection)
5) A centrally managed directory represents a very rich target for the secrets it contains
6) particularly when used as an authentication backend, it also presents a nice DoS target. (I have personal experience from a previous life..) :(
7) An LDAP server exposed to a LAN is rapidly (today) approaching being exposed to the Internet as VPN connections join multiple clouds and formerly internal datacenters, for anything but the tiniest of network footprints.
8) Most of the interlocking services, such as KRB5, have a sordid history of really bad root-level vulns.(https://www.cvedetails.com/vulnerability-list/vendor_id-42/p...)
Obviously many of these concerns can be somewhat mitigated but my strong personal opinion is that the size and complexity of LDAP makes it its own worst enemy. With that said, there's no real replacement for it, right?
With regards to things like SSO and SAML2, oauth (which also has its own share of problems due to the same problems of size and complexity) is beginning to make the need for an enterprise-wide directory moot, but this will obviously take time.
Not to mention - implementation to integrate with something like FreeIPA or similar is just unmitigated pain, both up front (i.e., if you want to run it somewhere like AWS without control over reverse DNS) or on each node (I've written PAM modules before and I still think making PAM changes is a big pain and not without significant risk.)