In the business world, it is essential to have an efficient way to manage information related to employees, various attributes and assets information. A Lightweight Directory Access Protocol (LDAP) server can provide that solution by allowing companies to store and access employee contact information in a central location. Businesses can save time and money by using an LDAP server while improving employee communication.
LDAP is a known asset to penetration testers while performing penetration testing assessments, whether it’s for enumeration purposes or relay challenges, that’s down to the job and test scenarios.
What is Lightweight Directory Access Protocol (LDAP)?
The Lightweight Directory Access Protocol (LDAP) is a cross-platform vendor-neutral software protocol used for directory service authentication. For simplicity, imagine the LDAP server as a comprehensive virtual phone book. The phone book gives access to an extensive directory of contact information for hundreds of people. It is easy to search through the phone book and find whatever information is needed using LDAP.
LDAP maintains directory information in an organised and easy-to-search manner; it allows anyone to query and communicate within the directory service servers and locate data related to the organisation, users, devices and other resources such as files in a network.
What port do LDAP and LDAPS use?
LDAP uses TCP port 389 as well as UDP port 389, whereas LDAPS uses TCP port 636.
What are directory information services?
A directory or directory information service is a network database that stores information in data trees. Each entry in the tree includes a distinguished name (DN), a collection of attributes, and objects. For example, Microsoft Active Directory (AD).
LDAP is the protocol that communicates with such directory services to perform queries. System administrators can also use LDAP single sign-on to control access to an LDAP database.
A short glossary of LDAP terms
When learning about LDAP (Lightweight Directory Access Protocol), there are few common terminologies that one must understand before moving forward; these include:
1. Data models: Models refer to the type of information that the Directory contains. It helps to understand the facets of the LDAP server. Generally, a model would have general information, functions, security details and names.
2. Distinguished Name (DN): DN is a unique identifier for an individual entry in the Directory. DN also describes the location of the entry within the information tree.
3. Modifications: These are requests that LDAP users can make when they want to alter any data within an entry. Adding, deleting, replacing and increasing are the types of possible modifications.
4. Relative Distinguished Name (RDN): To group multiple DNs for a relative location RDNs are used.
5. Schema: This is the coding language used when describing each item’s format and attributes in the LDAP server.
6. URLs: The Uniform Resource Locator is a string that includes the address and port of a server and other meaningful data that can help define a group, provide a location, or refer to an operation for another server.
7. URIs: Uniform Resource Identifies are a string of characters that define a resource.
How does an LDAP server query work?
In an organisation, the average employee connects and queries the LDAP server hundreds of times per day. On the surface, that person may not know he is even contacting the LDAP server, but a series of complex steps are taken to complete a simple query.
For an LDAP to complete a query successfully, generally, the following steps are taken:
1. Session connection: The user connects to the LDAP server via an LDAP port (typically port TCP/389).
2. Request: The user sends the query to the LDAP server. It could be something like an email lookup.
3. Response: The LDAP protocol searches the Directory for the relevant information and delivers it to the user.
4. Completion: After receiving the response, the user disconnects from the LDAP port.
The LDAP query steps may look simple, but in fact, a lot of work has been done to make this process seamless, and a good amount of coding has been done to make these functions possible.
How does LDAP authentication between a client and server work?
LDAP works on a client-server architecture, where the user requesting the information is the client, and the LDAP server is the server that serves the requests. Before the server sends over any information to the client, a formal LDAP authentication process occurs between the two.
The steps of the LDAP authentication process include:
- The client (a user, application or LDAP-ready system) sends a request to the server for accessing certain information. This request is stored within the LDAP database.
- The client then provides the LDAP server with its user credentials, i.e. a username and password.
- The LDAP server then tries to verify if the received credentials are correct. The LDAP server checks the received credentials against the credentials stored in the core user identity data stored in the LDAP database.
- If both these credentials match, then the client can access the requested information.
- On the other hand, if the provided credentials do not match the credentials in the core user identity store, access to information will be denied.
LDAP authorisation and access control
After the LDAP authentication process is complete, the next step that follows is authorisation and access control. After successful authentication, the LDAP server ensures that a user or application only gets access to resources they are allowed access to. What this means is that which user or group of users should have access to which resources.
To make the authorisation decisions, a number of factors are taken into account, such as:
- The DN as to whom the user is authenticated.
- The authentication method a client used.
- The groups of which the user is a member.
- The contents of the authenticated LDAP entry.
- The address of the DUA system.
- If the communication between client and server is secure.
- The time and day of the request.
LDAP data components
LDAP consists of many different components that are all required for proper functioning. Out of these, the essential components are:
The data stored within an LDAP system is referred to as an attribute. Each attribute has an attribute type associated with it; this specifies how the client and directory server should interact with it.
Entry is the user or item with an LDAP system. Each entry has a set of attributes assigned to it. An attribute must be associated with an entry.
Data Information Tree (DIT):
Every entry in an LDAP system is set up as a branch on the Data Information Tree.
Schema is the attribute definition. One DIT can have several schemas.
LDAP operation types
LDAP offers a wide range of options to facilitate its users. Some of those are discussed below.
This feature allows users to add new entries into the directory server database. If any entry already exists, the server will not accept it and show an “entryAlreadyExists” error. The LDAP-compliant servers store the added entries along with any other attributes.
When a client first authenticates with the LDAP server, the default authentication state is anonymous. The LDAP bind operation validates this authentication request and changes it from anonymous. The binding can occur through Simple or SASL (Simple Authentication and Security Layer) authentication methods.
Unbind terminates all outstanding operations and ends their connections. It also frees up resources that were assigned to the terminated operations.
LDAP clients can use the modify feature to make changes in the stored entries. Three types of modification are allowed; adding new value to data, replacing/overwriting an existing value or deleting an existing value.
Search and compare:
Using this operation, an LDAP client can search and read entries. The search can be done based on name, size, type, scope or any other attribute of an entry. The compare feature can be useful to check whether a named entry has a specific attribute.
LDAP clients can use this feature to delete entries from the directory server.
Levels of LDAP directory
The LDAP configuration in an organisation is organised as a tree structure having multiple levels. LDAP directory levels include:
- The root directory. It is the first level or starting place, which branches out to:
- Countries, which branches out to:
- Organisations, which branches out to:
- Organisational units (OU) can be considered as divisions, departments within an organisation, which branches out to:
- Individuals. This can be people, devices, files, shared resources etc.
Uses of LDAP
The most common and mainstream use of LDAP servers is to provide a centralised place for authentication, i.e. storing usernames and passwords. LDAP can use these user credentials for providing LDAP authentication in different applications and services such as
- Linux Samba servers
LDAP can also be used with multiple directory services such as
- Microsoft Active Directory
- Red Hat Directory Servers
- IBM Tivoli Directory Servers
LDAP security concerns
LDAP is a commonly used protocol and is an industry-standard practice for accessing and maintaining directory servers and authentication information. Due to the nature of this protocol, LDAP traffic includes sensitive information such as directory usernames, login attempts and failed login attempts.
The security risk arises when more often than not, this data is not encrypted. By default, the LDAP protocol does not use encryption, and the data transmitted is insecure. This raises many security concerns as an attacker could obtain sensitive data and credentials if the LDAP communication is intercepted.
How do I secure LDAP?
The best practice to secure it is to encrypt LDAP traffic. This can be accomplished by using SSL/TLS communication. To set this up, an organisation can either configure LDAPS, i.e. Secure LDAP on port 636 or use StartTLS on the standard LDAP 389 port.
LDAP and Active Directory (AD)
What is Active Directory
The Active Directory is a directory service developed by Microsoft to manage an organisation’s IT infrastructure and IT assets such as its domains, users accounts, policies and other distributed resources for a domain network. The Active Directory (AD) provides a system and network administrators with functionality such as authentication, group and user management, policy administration, device management, implementing security policy and group policy on its objects and more.
The Lightweight Directory Access Protocol (LDAP) is the protocol usually used to communicate with AD.
How does LDAP work with Active Directory?
As mentioned earlier, LDAP is the protocol to query directory services, and Microsoft Active Directory is the directory service. The Active Directory stores information related to users, devices, services, resources etc. and when a client needs to request this information, LDAP is used.
LDAP queries the information stored in AD and extracts the necessary details, and communicates responses to and from the client. So LDAP authentication and AD work together to provide clients access to the resources and information they need, to access applications and execute their responsibilities.
Does Active Directory use LDAP or Kerberos?
Active Directory supports both Kerberos and LDAP authentication, and more often than not, these two protocols are used together.
Kerberos is the default authentication and authorisation protocol used by Active Directory as it is more secure. LDAP is also used for the same and is used for organising objects such as user accounts, computers and organisation units (OUs) within the Active Directory environments.
For example, when an IT admin opens the Active Directory Users and Computers console, his computer first uses Kerberos to obtain a ticket and access the Domain Controller and then uses LDAP to allow the IT admin to use the console and carry out the required tasks with the domain objects.
OpenLDAP versus Microsoft Active Directory (AD)
What is OpenLDAP
OpenLDAP is an open-source and free implementation of a directory service that uses LDAP protocol. It is platform-independent and can be seen in many Linux based environments. Unlike other directory services, OpenLDAP does not offer a GUI interface and is command-line based.
Differences between OpenLDAP and AD
For starters, OpenLDAP is an open-source and free directory service, whereas active Directory is proprietary license-based software.
AD is more feature-rich than OpenLDAP; AD offers an extensive GUI, robust configuration features like Group Policy Objects (GPOs) for Windows devices. AD also supports the use of protocols other than LDAP. For primarily Windows-based organisations or intend to use Azure, Microsoft AD may seem like a better fit.
OpenLDAP, on the contrary, does not provide a GUI. It can only support LDAP protocols, and that is why OpenLDAP gives a much greater depth in configuring LDAP than AD. OpenLDAP is cost-effective and is used mainly in Linux based environments. OpenLDAP offers a wide range of customisation and flexibility.
RADIUS Authentication versus LDAP
What is RADIUS
RADIUS is a networking protocol that stands for Remote Authentication Dial-In User Service. This uses a client-server architecture, where the RADIUS client is a networking device that authenticates users and the RADIUS server stores and maintains user profiles in a database. The RADIUS servers use the AAA process to authenticate and authorise the RADIUS clients.
Differences between LDAP and RADIUS
LDAP and RADIUS perform similar functions, but they are not the same thing. LDAP is good for single sign-on services, but it does not have session accounting. It can be encrypted easily but does not have multi-factor authentication capabilities. LDAP is straightforward to set up, and the servers store user information.
RADIUS is a better option if an organisation requires speed because it works on UDP and uses caching mechanisms for faster delivery. RADIUS supports MFA and allows flexibility. Other than this, RADIUS servers do not store user information. They are challenging to set up but are ideal in providing advanced and complex authentication services.
Kerberos Authentication versus LDAP
What is Kerberos?
Kerberos is a network authentication protocol used to authenticate two or more trusted hosts across an untrusted network. It uses secret-key solid cryptography for authenticating users/server applications and identify users with the help of tickets.
Kerberos can be used in Posix authentication, NFS, Samba, SSH, POP, SMTP and is the default authentication protocol used by Microsoft Windows Active Directory (AD). Kerberos also provides single sign-on (SSO) functionality.
Differences between LDAP and Kerberos
LDAP and Kerberos both provide authentication for directory services, but they do have certain differences, as mentioned below:
So when it comes to implementing one over the other, there may be no correct answer as it depends on the requirements of an organisation.
Leaving your LDAP open to attack can be a severe security issue, leading to data theft, financial loss, and even lawsuits. Ensure that LDAP security best practices are in use and conduct periodic LDAP security configuration reviews where possible. Schedule a conversation with a security consultant here.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.