LDAP, which stands for Lightweight Directory Access Protocol, provides an open-source, vendor-neutral application protocol for distributed directory services and user authentication. This article provides a brief overview of LDAP uses, followed by a description of LDAP exposure risks and cybersecurity protection strategies.
What is LDAP?
Directory information services provide records, such as usernames and passwords, that can be accessed by applications across the network. The LDAP protocol can run across transport layers but is most often run over TCP/IP and UDP.
The Internet Engineering Task Force (IETF) RFC 4510 specifies the technical roadmap for LDAP, which is built on those described by the Directory Access Protocol (DAP). This client-server protocol defines how the server responds to requests for information stored in the directory. Most often, LDAP is used for authentication or bind operations and search operations, though it can also be updated for update operations.
LDAP stores information entries in a tree-based hierarchical directory defined by organizational needs and governed by a directory schema. Each entry has a unique name (the Distinguished Name or [.rt-script]dn[.rt-script]) and a set of attributes. Directory information can be accessed through discrete LDAP queries, such as a search operation that evaluates stored entries based on specific criteria. The query mechanism specifies how each operation retrieves or modifies directory data. The syntax clarifies which identifiers to retrieve from the LDAP database.
LDAP is used for a variety of purposes from straightforward information storage to complex network infrastructure. Some LDAP use cases include the following:
- Access management and user authentication, like single sign-on (SSO) with LDAP authentication
- Asset tracking and user resource management
- Identity management systems that provide authentication and authorization for user accounts
- Synchronized directories for personal address books and calendars across devices
- Network infrastructure for email server routing and other web applications
There are many software options that use LDAP:
- Microsoft Active Directory
- Apache Directory Server
- Apple Open Directory
- PingIdentity's PingDirectory
- Red Hat Directory Server
Each of these softwares uses LDAP as the communication protocol, though Active Directory and OpenLDAP are two of the most commonly used tools.
As a directory service, LDAP provides communication with data, including sensitive data like user credentials and permissions, so it's important to know what security risks may expose that data.
LDAP Port Exposure Risks
Some LDAP configurations run on ports that are accessible via the public internet. Exposed port transfer can put your organization's data at risk. If LDAP transmits unencrypted data in plain text through port [.rt-script]389[.rt-script], it can be intercepted in transit by malicious attackers. Because LDAP is frequently used for authentication and authorization, it is critical that directory and authentication protocols require additional layers of security.
UpGuard scans for LDAP exposure where your LDAP service is listening on open ports:
- 'LDAP' port open
- 'LDAP SSL' port open
If your LDAP configuration listens on publicly accessible ports, then your data in transmit may be at risk. You can configure Lightweight Directory Access Protocol over SSL (LDAPS) to add SSL encryption over port [.rt-script]636[.rt-script]. LDAPS is sometimes replaced by StartTLS, which provides both encrypted and unencrypted communications via the same port, but StartTLS connections can be vulnerable to downgrade attacks.
All directory and authentication protocols should be secured with a virtual private network (VPN) or similar solution to prevent internet-based scanning and injection attacks. An LDAP injection attack compromises the authentication process by sending malicious code through a web application in order to access sensitive information in an LDAP directory. If your LDAP directory is accessible via the public internet or your server does not validate client requests, then a hacker could retrieve and leak sensitive data or escalate user privileges without proper authorization.
To prevent data breaches and cyberattacks against your LDAP directories, ensure you have taken proactive cybersecurity measures to protect your server.
How to Prevent LDAP Exposure
Protecting your LDAP server with proactive security configuration can help you prevent attacks and information leaks.
If your organization is facing port exposure, you can prevent internet-based attacks by securing all directory protocols with network security options like a VPN. Close the internet-facing ports so that sensitive data cannot be passed to or from the LDAP server without authentication. Limit users with access control so that only verified users can access sensitive data using specified authentication methods. Strong authentication mechanisms require input validation to ensure that user input is both accurate and sanitized.
If access must be maintained for the public internet, set up SSL/TLS encryption and require a cryptographic hash to avoid plaintext passwords. Because LDAPv2 supports simple password-based authentication, migrate to LDAPv3 to use the Simple Authentication and Security Layer (SASL) framework and additional features that are currently unavailable with the previous versions, such as certificate authentication, internalization, schema discovery, and extensibility.
Maintain a strong firewall, and consider whether a web application firewall (WAF) will aid your organization in protecting HTTP traffic.
Determine your auditing cadence and set up logging to monitor network traffic. As needed, review connections to assess client requests and audit LDAP queries.
How UpGuard Can Help
UpGuard BreachSight helps you understand the risks impacting your external security posture. With our user-friendly platform, you can view your organization’s cybersecurity at a glance and communicate internally about risks, vulnerabilities, or current security incidents.
To learn more about your particular domain's practices in relation to these LDAP port findings, access your Risk Profile in BreachSight to search for each finding by name.