I am currently using an LDAP setup. I am wondering if it is secure from Man-in-the-middle attacks or other vulnerabilities?
3 Answers
LDAP, by itself, is not secure against active or passive attackers:
- Data travels "as is", without encryption, so it can be spied upon by passive attackers.
- Active attackers can manipulate the stream and inject their own requests or modify the responses to yours.
At best, basic LDAP may rely on some authentication mechanism (through SASL) which is not trivially broken by an attacker: if the authentication is of the "show the password" type, then a passive eavesdropper can learn the password and then connect to the server with your identity; slightly more advance protocols, like CRAM-MD5, avoid that specific problem, but will still do nothing against attackers hijacking your connections or spying on your actual requests and responses.
So, really, if you value your security, then use SSL (i.e. "LDAPS"). In many respects, this is just like HTTP vs HTTPS.
As a side note, the Active Directory protocol from Microsoft, which builds up on LDAP, optionally offers a "sign & encrypt" feature, which appears to be some sort of cryptographic protocol embedded within LDAP (i.e. like LDAPS, but in reverse order), which might ensure enough security. I have not seen any decently detailed specification for that protocol, though, so I still recommend LDAPS in that case.
- 168,808
- 28
- 337
- 475
The LDAP protocol is by default not secure, but the protocol defines an operation to establish a TLS session over an existing LDAP one (the StartTLS extended operation). Alternately, some authentication mechanisms (through SASL) allow establishing signing and encryption. Most of the recent LDAP based directory servers support these modes, and often have configuration parameters to prevent unsecure communications.
LDAPS on the other hand is secure by default as long as proper ciphers are negotiated.
- 171
- 2
Create a certificate and log into your LDAP with your user certificate that you install in the admin entry.
Obviously the TLS session only raises the bar against packet sniffing, not the quality of authentication, unless a client certificate authentication takes place in TLS.
Plain text password would be the worst option, going up from there...SASL, etc.
If you are concerned with someone accessing your LDAP server from the Internet, and still want to allow access to "some" attributes, but not others, you can set up a proxy on 389 to filter requests going to the server. If you use the well known default ports for LDAP or LDAPS it makes it easier for users to find your services.
Also, consider putting in an SRV resource record entry into the DNS for your Internet connected LDAP server, so people will have the right address and port to hit your proxy server.
- 1
- 1