 |  |
20.5. Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is used to maintain directory databases. For instance, it is frequently used to distribute public key certificates, address book information, and user authentication information. It is rarely used directly by users; instead, it is a utility protocol that other programs use to look up information.LDAP itself is believed to be a relatively secure protocol. However, LDAP servers frequently contain security-critical information (for instance, authentication information, which at best will allow an attacker to determine what account names are valid, and at worst may provide a password to use with them). Therefore, you normally do not want to make internal LDAP servers accessible to the Internet. LDAP servers pass information unencrypted, so snooping is possible.
20.5.1. LDAPS
In order to provide security, LDAP can also be run over TLS, providing encryption and server-client authentication. This is called LDAPS and is assigned to port 636. TLS is discussed in Chapter 14, "Intermediary Protocols".
20.5.2. Packet Filtering Characteristics of LDAP
LDAP is a TCP-based service. Servers use port 389 (or port 636 for LDAPS). Clients use ports above 1023. Windows 2000 Active Directory Service uses an extra server, the global catalog server, that also uses LDAP but uses port 3268 for unsecured access and 3269 for SSL-secured access.| Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
|---|---|---|---|---|---|---|---|
| In | Ext | Int | TCP | >1023 |
389[125]
|
[126]
|
Query, external LDAP client to internal server |
| Out | Int | Ext | TCP | 389[125] | >1023 | Yes | Response, internal server to external LDAP client |
| In | Ext | Int | TCP | >1023 |
636[127]
|
[126] | Query, external LDAPS client to internal server |
| Out | Int | Ext | TCP | 636[127] | >1023 | Yes | Response, internal server to external LDAPS client |
| Out | Int | Ext | TCP | >1023 | 389[125] | [126] | Query, internal LDAP client to external server |
| In | Ext | Int | TCP | 389[125] | >1023 | Yes | Response, external server to internal LDAP client |
| Out | Int | Ext | TCP | >1023 | 636[127] | [126] | Query, internal LDAPS client to external server |
| In | Ext | Int | TCP | 636[127] | >1023 | Yes | Response, external server to internal LDAPS client |
[125]3268 for active directory service global catalog.
[126]ACK is not set on the first packet of this type (establishing connection) but will be set on the rest.
[127]3269 for active directory service global catalog.
20.5.3. Proxying Characteristics of LDAP
A large number of programs are available that claim to be LDAP proxies, but they are not all the sort of proxies that you normally think of in conjunction with firewalls. Many of them take LDAP queries and turn them into queries of other directories, using LDAP to give a unified view on complex information systems or providing transition service. Some proxies are intended to provide additional security, allowing you to use a single LDAP server for both internal and external service, by having the external users contact the proxy server.Surprisingly, the Netscape Web browser does not use SOCKS when connecting to an LDAP server. LDAP is a perfectly straightforward protocol and can be used with SOCKS without problems.
20.5.4. Network Address Translation Characteristics of LDAP
LDAP does not use embedded IP addresses and will work through a network address translation system without problems. However, LDAP servers may give out referrals, recommending that clients contact other servers, and those referrals may contain IP addresses. If you intend to place an LDAP server behind a network address translation system, you should be careful not to configure the server to make referrals that are impossible for clients to follow.
20.5.5. Summary of Recommendations for LDAP
- If you provide LDAP service to the Internet, use a dedicated LDAP server that does not contain confidential information or a proxy that will control access to data.
