![]() | ![]() |
LDAP itself is believed to be a relatively secure protocol. However, LDAP servers frequently contain security-critical information (for instance, authentication information, which at best will allow an attacker to determine what account names are valid, and at worst may provide a password to use with them). Therefore, you normally do not want to make internal LDAP servers accessible to the Internet. LDAP servers pass information unencrypted, so snooping is possible.
Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
---|---|---|---|---|---|---|---|
In | Ext | Int | TCP | >1023 |
389[125]
|
[126]
|
Query, external LDAP client to internal server |
Out | Int | Ext | TCP | 389[125] | >1023 | Yes | Response, internal server to external LDAP client |
In | Ext | Int | TCP | >1023 |
636[127]
|
[126] | Query, external LDAPS client to internal server |
Out | Int | Ext | TCP | 636[127] | >1023 | Yes | Response, internal server to external LDAPS client |
Out | Int | Ext | TCP | >1023 | 389[125] | [126] | Query, internal LDAP client to external server |
In | Ext | Int | TCP | 389[125] | >1023 | Yes | Response, external server to internal LDAP client |
Out | Int | Ext | TCP | >1023 | 636[127] | [126] | Query, internal LDAPS client to external server |
In | Ext | Int | TCP | 636[127] | >1023 | Yes | Response, external server to internal LDAPS client |
[125]3268 for active directory service global catalog.
[126]ACK is not set on the first packet of this type (establishing connection) but will be set on the rest.
[127]3269 for active directory service global catalog.
Surprisingly, the Netscape Web browser does not use SOCKS when connecting to an LDAP server. LDAP is a perfectly straightforward protocol and can be used with SOCKS without problems.