11

We currently access Active Directory via LDAPS internally for authentication and user data retrieval. Is it common, or safe, to expose this publicly over LDAPs?

Addendum 1:

Our business case, our Cloud based remote hosted web-application needs to authenticate end users with their local Active Directory.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
Andy
  • 505
  • 2
  • 5
  • 11

3 Answers3

8

Assuming that the LDAPS server does not have security holes, exposing it to the wide Internet should be no more risky (and no less) than exposing a HTTPS Web server. With LDAPS (SSL outside, traditionally on port 636, LDAP protocol in it), the authentication requested by the server will be performed under the protection of SSL, so that's fine (provided that authentication passwords are strong, as usual).

... with one caveat nonetheless. A big part of HTTPS security is that the browser, i.e. the client, makes sure that the server's certificate is correct: verification of all signatures with regards to a set of trust anchors; revocation status checks; verification that the intended server name really appears where it should in the server's certificate. If you access the LDAPS server through some software, then that software should apply the same kind of verifications; but I doubt most LDAPS clients are that thorough.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
7

Several cloud vendors require LDAP access to AD in order to authenticate users... I can name 10 off the top of my head; so it's not uncommon in a limited scope.

I would say it is unwise to open up LDAP to the broad internet (no IP filter) without additional controls (VPN, authentication,etc)

Since you're exposing your LDAP server to additional load, I would consider the impact it has on other AD-reliant applications like Exchange, or even workstation authentication. You may want to consider standing up a separate AD server in a separate logical site for this purpose. (Exchange has a tendency to touch all AD servers in a site)

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
5

I would not say it is common to expose LDAP services to the internett. What business case do you have to do this? Is is much like you do not want to expose your database server to the Internett. It is usually access only via. DMZ services, while your LDAP rests on the internal network. If I do Shodan search for port:389 I get no results, compared to MySQL where I get about 5528729 results. I think it is safe to say that it is not common.

As with all services you expose to the internet, the answer whether it is safe or not depends on how you harden the system. If you do not need it on the internett, dont put it there. If you do need it harden it and consider limiting access to only those who need it. E.g. if this is used for some kind of federation services I would consider only trusting connections to the LDAP from valid federation servers.

Chris Dale
  • 16,119
  • 10
  • 56
  • 97
  • LDAPS would be port 636, not 389. But I agree it is very uncommon. – Tom Leek Oct 24 '13 at 18:35
  • Added the business case. We're trying to authenticate users in their local firewalled ActiveDirectory via the public internet with no LAN tunneling. My first thought is sounds kinda scary, but need expert advice. – Andy Oct 24 '13 at 20:52
  • I searched Shodan for 636 as well, and other known ports for LDAP. Not much hits at all. Surprisingly low actually. – Chris Dale Oct 25 '13 at 05:33
  • 1
    One thing to consider, how are you going to stop nefarious users from brute forcing LDAP passwords? How are you going to prevent accounts from being locked out remotely if a malicious user stumbles across this exposed LDAP service? – k1DBLITZ Oct 25 '13 at 14:57
  • @ChrisDale, if required it is probably tunneled over SSH or VPN: http://www.unixwiz.net/techtips/security-ldap-ad.html – Silver Jan 25 '17 at 08:22
  • The comparison to MySQL is good in the context that the database shouldn't need to be user facing. However, comparing statistics between the two without any context on utilization to help ingest the numbers can lead to incorrect assumptions. – Steve Buzonas Aug 14 '18 at 18:10