Questions tagged [ldap]

The Lightweight Directory Access Protocol is an application protocol for reading and editing directories that follow the Directory Information Model over an IP network using unsecured TCP/IP, TLS or SSL. LDAP is a binary protocol described in terms of ASN.1 and transmitted using ASN.1 Basic Encoding Rules.

The Lightweight Directory Access Protocol is an application protocol for reading and editing directories that follow the Directory Information Model over an IP network using unsecured TCP/IP, TLS or SSL. LDAP is a binary protocol described in terms of ASN.1 and transmitted using ASN.1 Basic Encoding Rules (BER).

A directory is a hierarchical collection of records known as a Directory Information Base, or when visualized, as a Directory Information Tree. The directory model should be visualized as an upside-down tree, much like a UNIX file-system. The root of the Directory Information Tree is known as the prefix or namingContext. The namingContext, supported versions of the protocol, supported features and supported controls (operation semantics modifiers) and other information can be discovered by querying the root DSE, though the information might be protected by access controls.

Clients (Directory User Agents) issue requests to the directory server (Directory System Agent) and the directory server returns an appropriate response, which could be success (which might include requested entries from the Directory Information Tree in the case of a search), or an indication of success or failure of a search, add, modify, delete, moddn (rename) or extended operation. Controls might be used to alter the semantics of a request, for example, a sort control might be included with a search request to sort the returned entries (known as a server-side sort). Without the inclusion of the sort control in the search request, entries returned from search operations are not ordered, and must not be ordered. Clients must not expect that entries are ordered in any way.

Modern directory servers support a high-speed replication mechanism which is not defined by the standard, though there have been some attempts at defining a replication standard. Therefore, replication and the protocol used for replication is vendor-specific. If data must be synchronized between directory servers from different vendors, a synchronization device must be used.

Most modern programming languages have an LDAP SDK, including Java, PHP, Perl, C/C++, and others. Directory Server software usually comes equipped with a set of command line tools such as ldapsearch, ldapmodify, and others.

Directory Information Trees accessed by the LDAP protocol are used in authentication and authorization applications, configuration storage, profile storage, public-key infrastructure and other applications requiring:

  • speed of access
  • a small, light-weight protocol
  • A simple programming model
  • easily configured replication, redundancy, and failover

Questions that are specific to Active Directory should not be tagged with the LDAP tag unless the question is specifically related to the LDAP protocol or the Directory Information Model. Active Directory provides an LDAP interface, but that interface does not fully implement the LDAP standard, and deviates from it in important ways. Therefore, there are questions that can be answered that are specific to Active Directory that are not applicable to standards-compliant LDAP servers and vice versa. Correctly tagging a questions will result in a higher probability of an accurate, timely response.

83 questions
28
votes
2 answers

Kerberos vs. LDAP for authentication -- which one is more secure

Can anyone describe/outline the relative merits of using Kerberos or LDAP for authentication in a large heterogeneous environment? And Can we switch between them transparently?
Ijaz Ahmad
  • 1,592
  • 1
  • 11
  • 20
21
votes
3 answers

What precautions should I take when creating users that will be used by applications and not by people?

I have some applications that need to access to a webservices bus. Own applications that access to the bus authenticate using a webservice on that bus but in this case I need that third party applications access some webservices in the bus. These…
Eloy Roldán Paredes
  • 1,507
  • 12
  • 25
11
votes
3 answers

Is it secure to be using LDAP, or is LDAPS the only secure option?

I am currently using an LDAP setup. I am wondering if it is secure from Man-in-the-middle attacks or other vulnerabilities?
mrplow911
  • 113
  • 1
  • 1
  • 4
11
votes
3 answers

Safe to expose Active Directory via LDAPS externally?

We currently access Active Directory via LDAPS internally for authentication and user data retrieval. Is it common, or safe, to expose this publicly over LDAPs? Addendum 1: Our business case, our Cloud based remote hosted web-application needs…
Andy
  • 505
  • 2
  • 5
  • 11
11
votes
4 answers

Extract Password Hashes from Active Directory LDAP

Currently we are working on a monthly internal security test which among other should contain a verification of the real password strength the users choose. For this reason I want to extract the password hashes of all users via LDAP. Everything I…
davidb
  • 4,285
  • 3
  • 19
  • 31
9
votes
2 answers

What are best practices for implementing ACL

I have a website that has certain menu items that need to be hidden from end users. The web site has PHP in the front-end and Java and Spring in the back-end, deployed on a Linux OS in a VM infrastructure, although the full technology stack isn't…
bliss
  • 111
  • 1
  • 4
9
votes
2 answers

What LDAP schema is recommended for PKI?

In my research, I found some RFCs that have not been updated in over a decade, e.g draft-ietf-pkix-ldap-crl-schema-01. I also explored several public directories used in PKI (e.g. x500.bund.de) and established that they chose not to stick to that…
ralien
  • 265
  • 1
  • 5
8
votes
1 answer

What is the best way to store passwords in OpenLDAP?

I would like to store user credentials in an OpenLDAP or similar directory server. A lot of online commentary about storing passwords in modern contexts recommends using password derivation schemes like PBKDF2, bcrypt and scrypt. It looks like…
duffbeer703
  • 403
  • 3
  • 8
8
votes
1 answer

What practical uses are there for the AD feature of "Confidential Attributes"

Are any applications (off the shelf, or internal) leveraging Active Directory's Confidential Attributes? Would you store sensitive information here such as a private key, or a salt here? I'm planning a demonstration of this feature, but would like…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
6
votes
1 answer

Password security when connecting to ldap with rails application

How do you store a username/password securely in a rails app when using it for many ldap searches? The connection in the app requires ldap_bind_authenticate(Net::LDAP.new, username, password) each time a search is made, and the credentials of the…
essefbx
  • 172
  • 12
6
votes
7 answers

How can I best manage root passwords for many servers?

Lets say I have two racks with about 40 nix servers in them. I don't want to set all of the root user passwords all the same do I? If not how do you manage and keep up with all of the passwords? Is an LDAP server a viable option to use with root…
5
votes
1 answer

How does LDAP keep an authenticated session

I feel like I'm missing something, because I'm not finding an answer Let's have a pretend scenario. I connect to an LDAP server I issues a BIND command and successfully log in (I think the sever would return something) I issue a DELETE command How…
Anton
  • 153
  • 4
5
votes
2 answers

Oracle Internet Directory (OID) hardening

What are best practices, recommendations, required reading for securing/hardening an Oracle internet directory? note: OID is compatible with LDAP version 3.
Aaron
  • 51
  • 1
5
votes
2 answers

How do I sanitize LDAP input and prevent injection attacks? What LDAP injection scenarios are possible?

In the following C# example I'm querying AD's configuration container for Exchange overrides. If the domain name in unsanitised the end user could get LDAP to read a different object then intended. I'm not sure if other actions other than read are…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
5
votes
1 answer

How to implement a password change policy when user's centralized password is in a lot of places?

I would like to implement password changing in an organization but they have the domain controller/LDAP passwords "all over the place". They have the passwords in a lot of places, for example, in mobile apps that authenticate against the LDAP, VPN…
1
2 3 4 5 6