Lightweight Directory Access Protocol (LDAP) is a standard application protocol for accessing and managing a directory service. It is supported by most vendor directory services, including Active Directory (AD), and facilitates the sharing of information on users, systems, networks, services, and applications with applications and services that need it.
It is not to be confused with Active Directory, which is that directory server that makes use of the LDAP protocol. Although Microsoft Active Directory is the industry standard directory service, you may hear people say that they ‘use LDAP’ instead – what they’re actually saying is that they use a different directory that is also using the LDAP protocol.
LDAP Authentication Types
1. No Authentication
The use of "No Authentication" is acceptable when sharing public data.
2. Basic Authentication
Basic Authentication is similar to Basic Authentication under HTTP. Authentication is accomplished through the use of a DN (Distinguished Name) and a password. This data is sent either in plaintext or encoded using Base64 encoding.
3. Simple Authentication and Security Layer (SASL)
SASL is a framework for plugging in alternative security mechanisms. I will elaborate about this alternative a little later.
What Security Issues LDAP Creates?
LDAP is vulnerable to various security threats, including spoofing of directory services, attacks against the databases that provide the directory services.
RFC 2829 – Authentication Methods for LDAP defines the basic threats to an LDAP directory service:
-
Unauthorized access to data via data-fetching operations,
-
Unauthorized access to reusable client authentication information by monitoring others' access,
-
Unauthorized access to data by monitoring others' access,
-
Unauthorized modification of data,
-
Unauthorized modification of configuration,
-
Unauthorized or excessive use of resources (denial of service), and
-
Spoofing of directory: Tricking a client into believing that information came from the directory when in fact it did not, either by modifying data in transit or misdirecting the client's connection.
Kindly note that Threats (1), (4), (5) and (6) are due to hostile clients. Threats (2), (3) and (7) are due to hostile agents on the path between client and server, or posing as a server.
-
LDAP in itself sends its data to the directory service ‘in plain text’. That's why the unsecure LDAP traffic contains highly sensitive data that is unencrypted, and thus a sitting duck (too easy..) for attackers and hackers. LDAP authentication is not secure on its own. A passive eavesdropper could learn your LDAP password by listening in on traffic in flight.”
What Can You Do To Enhance LDAP Security?
LDAP clients must authenticate to the server before being allowed access to the directory. Clients (users, computers, or applications) connect to the LDAP server using a distinguished name and authentication credentials (usually a password). Authentication information is sent from the client to the server as part of a "bind" operation, and the connection is later closed using an "unbind" operation. Unfortunately, it is possible for users to make the connection with limited or no authentication, by using either anonymous or simple authentication. You should not allow for anonymous clients to send LDAP requests to the server without first performing the bind operation.
NOTE:
Microsoft has already issued an significant advisory against the use of 'unsecure' LDAP to Active Directory because of potential for attacks and misuse.
LDAPS should be used with Active Directory domain controllers.
This isn't to say that LDAP is completely vulnerable. LDAP supports a number of different security mechanisms, beginning from when clients initially connect to an LDAP server.
Optionally, the connection can use TLS to secure the connection as I mentioned earlier, and protect any data transmitted between the client and server.
LDAP can also be used over SSL, which extends security into the Internet. LDAPS is Secure LDAP, which encrypts LDAP connections by using SSL or TLS. Some of these types of services integrate as objects, such as PKI certificates, in the authentication process using Smart Card technologies, and in the extended properties of account objects so that they can support extra security requirements. To use SSL with LDAP, the LDAP server must have an X.509 server certificate. Additionally, SSL/TLS must be enabled on the server.
SASL (Simple Authentication and Security Layer) is a framework for plugging in alternative security mechanisms. These security mechanisms include:
-
Kerberos Version 4
-
S/Key
-
GSSAPI
-
CRAM-MD5
-
TLS
-
ANONYMOUS
Remember:
“The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.” So, please Stop allowing unsecure binds with LDAP (Port 389) immediately.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM