Auth0 integrates with Active Directory/LDAP through the Active Directory/LDAP Connector that you install in your network.
The AD/LDAP Connector (1), is a bridge between your Active Directory (2) and the Auth0 Service (3). This bridge is necessary because AD is typically locked down to your internal network, and Auth0 is a cloud service running on a completely different context.
You can install multiple instances of the Connector for high availability and load balancing. Also, all connections are out-bound: from the Connector to the Auth0 Server, so in general no changes to the firewall need to be applied.
An AD/LDAP Connection caches user profiles and credentials by default to maximize availability and performance. Credential caching can be disabled at the connection level.
The AD/LDAP Connection credential cache stores a hash of the user password. Auth0 never stores secrets in clear text.