Scribd
Upload
25 views3 pages

What is LDAP

Uploaded by

Oladipo Agboola
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
25 views3 pages

What is LDAP

Uploaded by

Oladipo Agboola
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

What is LDAP?

Lightweight Directory Access Protocol (LDAP) is a standard application protocol for accessing and
managing a directory service. It is supported by most vendor directory services, including Active
Directory (AD), and facilitates the sharing of information on users, systems, networks, services, and
applications with applications and services that need it.

It is not to be confused with Active Directory, which is that directory server that makes use of the
LDAP protocol. Although Microsoft Active Directory is the industry standard directory service, you
may hear people say that they ‘use LDAP’ instead – what they’re actually saying is that they use a
different directory that is also using the LDAP protocol.

LDAP Authentication Types

** 1. No Authentication

The use of "No Authentication" is acceptable when sharing public data.

** 2. Basic Authentication**

Basic Authentication is similar to Basic Authentication under HTTP. Authentication is accomplished


through the use of a DN (Distinguished Name) and a password. This data is sent either in plaintext or
encoded using Base64 encoding.

** 3. Simple Authentication and Security Layer (SASL)**

**SASL **is a framework for plugging in alternative security mechanisms. I will elaborate about this
alternative a little later.

What Security Issues LDAP Creates?

LDAP is vulnerable to various security threats, including spoofing of directory services, attacks
against the databases that provide the directory services. RFC 2829 – Authentication Methods for
LDAP defines the basic threats to an LDAP directory service:

➤ Unauthorized access to data via data-fetching operations,

➤ Unauthorized access to reusable client authentication information by monitoring others' access,

➤ Unauthorized access to data by monitoring others' access,

➤ Unauthorized modification of data,

➤ Unauthorized modification of configuration,

➤ Unauthorized or excessive use of resources (denial of service), and

➤ Spoofing of directory: Tricking a client into believing that information came from the directory
when in fact it did not, either by modifying data in transit or misdirecting the client's connection.

Kindly note that Threats (1), (4), (5) and (6) are due to hostile clients. Threats (2), (3) and (7) are due
to hostile agents on the path between client and server, or posing as a server.

LDAP in itself sends its data to the directory service ‘in plain text’. That's why the unsecure LDAP
traffic contains highly sensitive data that is unencrypted, and thus a sitting duck (too easy..) for
attackers and hackers. LDAP authentication is not secure on its own. A passive eavesdropper could
learn your LDAP password by listening in on traffic in flight.”
What Can You Do To Enhance LDAP Security?

LDAP clients must authenticate to the server before being allowed access to the directory. Clients
(users, computers, or applications) connect to the LDAP server using a distinguished name and
authentication credentials (usually a password). Authentication information is sent from the client to
the server as part of a "bind" operation, and the connection is later closed using an "unbind"
operation.

Unfortunately, it is possible for users to make the connection with limited or no authentication, by
using either anonymous or simple authentication. You should not allow for anonymous clients to
send LDAP requests to the server without first performing the bind operation.

NOTE:

Microsoft has already issued an significant advisory against the use of 'unsecure' LDAP to Active
Directory because of potential for attacks and misuse.

LDAPS should be used with Active Directory domain controllers.

This isn't to say that LDAP is completely vulnerable. LDAP supports a number of different security
mechanisms, beginning from when clients initially connect to an LDAP server.

Optionally, the connection can use TLS to secure the connection as I mentioned earlier, and protect
any data transmitted between the client and server.

LDAP can also be used over SSL, which extends security into the Internet. LDAPS is Secure LDAP,
which encrypts LDAP connections by using SSL or TLS. Some of these types of services integrate as
objects, such as PKI certificates, in the authentication process using Smart Card technologies, and in
the extended properties of account objects so that they can support extra security requirements. To
use SSL with LDAP, the LDAP server must have an X.509 server certificate. Additionally, SSL/TLS must
be enabled on the server.

**SASL (Simple Authentication and Security Layer)**is a framework for plugging in alternative
security mechanisms. These security mechanisms include:

➤ Kerberos Version 4

➤ S/Key

➤ GSSAPI

➤ CRAM-MD5

➤ TLS

➤ ANONYMOUS

Remember:

“The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon
connecting with a client.” So, please Stop allowing unsecure binds with LDAP (Port 389) immediately.

-
Guys, what do you think of this post? Is it helpful to you in some manner?

Kindly let me know in the comment section...

With thanks,

Meena R.

You might also like