1

In my windows only domain, Kerberos is used for all authentication. The domain controllers I understand replicate & authenticate using RPC. Is LDAP used for anything else? Should I close the unused 389 LDAP port on all Servers and Clients?

Does Active Directory use LDAP used for authorisation, lookup, etc.?

Reemus
  • 11
  • 1
  • Do not disable LDAP unless you're using a test environment and you want to see what breaks. LDAP is used for AD resource enumeration, auth, etc. https://technet.microsoft.com/en-us/library/cc961766.aspx – user2320464 Jan 02 '16 at 23:00
  • LDAP is used for Service Connection Points (SCP) in the Config partition, so likely yes, LDAP is used – makerofthings7 Jan 03 '16 at 00:54
  • I presume you want file ownership & permissions to map to usernames and or group names? – Andy Jan 03 '16 at 09:28

1 Answers1

2

No, you should not. LDAP is fundamental to many processes in Active Directory. For example:

  • When you perform an interactive logon on a client, the client performs a series of DNS lookups to determine the best domain controller, then performs a series of tests on tcp/389.
  • The Active Directory schema is downloaded to the client using LDAP on tcp/389.
  • The Group Policy Client uses LDAP to retrieve the policy information component which is stored in Active Directory.
  • Many of the command line tools and system-integrated management tools use LDAP (Active Directory Users and Computers, Active Directory Sites and Services, etc).
  • A TON of other stuff.

It's fairly easy to perform a network packet capture to confirm this.

It sounds like you may be confusing NTLM with Kerberos. It may be possible to use Kerberos in place of NTLM/2, although the client will attempt to fall back to NTLM/2 if Kerberos authentication is not possible.

Additionally, it is not possible to use only LDAPS tcp/636 in place of tcp/389 if you have certificates installed on your domain controllers. This would not provide any useful benefit, as LDAPS is primarily intended for applications that authenticate using a simple bind (username+password).

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • There are two additional notes to otherwise wonderful answer: - LDAP tcp/389 is used normally within Active Directory for simple binds by enforcing STARTTLS extension; it also is used with GSSAPI binds. - LDAP udp/389 is known as **Connectionless LDAP** and is used by AD clients to discover domain controllers and certain capabilities of those servers. – abbra Jan 03 '16 at 22:36
  • @greg-askew 1. Isn't RPC used for all this as well? 2. So Kerberos is used for authentication and LDAP for authorisation? – Reemus Jan 04 '16 at 05:03
  • @Reemus, see my comment to the other answer. – abbra Jan 04 '16 at 08:03
  • @Remus: apparently not. – Greg Askew Jan 04 '16 at 09:00