Understanding the cyber risks of the LDAP protocol

Understanding the cyber risks of the LDAP protocol

The Lightweight Directory Access Protocol (LDAP protocol) is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network. 

LDAP is a client-based lightweight version of Directory Access Protocol (DAP). It operates on both private intranets and public networks, and across multiple directory services which makes it the most convenient for authenticating, accessing, and modifying information in any directory. The directory services most popular when communicating with LDAP are: 

  • Open LDAP 
  • Active Directory  
The importance of LDAP protocol 

LDAP is extremely important when you consider the sheer amount of data required for daily administrative tasks. Workers require regular access to email addresses, usernames, passwords, printers, and endpoints to undertake their daily tasks. This information is stored on company directories while LDAP is the protocol that connects applications and data to this information. 

LDAP not only maps to usernames and passwords but can also be used to authenticate users. Single sign-on (SSO) can be used which allows users to only sign in once to access all protected files and applications. 

LDAP Active Directory relationship 

To fully understand how LDAP works, understanding its relationship with Active Directory is key. Active Directory and LDAP are not the same, they work independently of each other but together to connect clients to servers. 

Microsoft Active Directory understands and uses the LDAP language. To authenticate or access data stored on Active Directory, Exchange Server uses the LDAP protocol to communicate with the target server. If your business uses Windows computers, it’s most likely using LDAP to ensure business continuity. 

LDAP is a cross-platform protocol and can be used to share information between different directory services via the IP network. Active Directory can be linked with OSX, Unix/Linux, and other non-Windows servers using the LDAP protocol. 

Who supports LDAP? 

LDAP is supported by the following directories:  

  • Apache Directory Server 
  • Active Directory 
  • Apple Open Directory 
  • 389 Directory Server 
  • eDirectory 
  • Red Hat Directory Server 
  • Oracle Internet Directory 
  • OpenDS 
  • Sun Java System Directory Server 
  • Oracle Unified Directory 
  • IBM Tivoli Directory Server 
  • Windows NT Directory Services (NTDS) 
  • Lotus Domino 
  • Critical Path Directory Server 
  • OpenLDAP 
  • Nexor Directory 
  • OpenDJ 
How does LDAP work? 

Often wondered how LDAP works? Well, when an application or user requests information from a server, this high-level sequence is initiated: 

Step 1: The client connects to the Directory System Agent (DSA) via TCP/IP port 389 to commence an LDAP session. 

Step 2: A client and server connection is established. 

Step 3: The server and the client exchange data. This step can vary depending on the specific LDAP operations requested. LDAP throws up the possibility of many functions, via five primary operators:  

Add: Adds a new entry into the directory-to-server database. 

Bind:  Clients are authenticated to the directory server. 

Delete: Deletes directory entries. 

Modify: Request changes to existing directory entries – Add, Delete, or Replace operations. 

Unbind: Terminates connections and operations in progress. 

To access directory information, an LDAP protocol communicates with a Directory System Agent (DSA). The DSA stores usernames, passwords, and other sensitive data. LDAP queries align with the hierarchical structure of the DSA. When an entry is requested, the LDAP query references the Distinguished Name (DN) which will contain the object’s entire path. Other LDAP attributes like Relative Distinguished Name aid in the accurate classification of each item.  

How does LDAP Authentication work? 

The LDAP protocol can be used to authenticate users. At a high level, the authentication process occurs in five stages following a username and password submission. The five stages are as follows: 

  1. The LDAP client sends a Bind request to the LDAP server to initiate the authentication process. 
  1. A Bind result is sent to the LDAP client to confirm the authentication process has commenced. 
  1. The LDAP protocol confirms the existence of each credential in the LDAP directory and the valid combination of each entry. 
  1. Once user credentials have been authenticated, an Unbind Operation is sent to the LDAP server to terminate the connection. 
  1. User access is granted or denied. 

There are the following methods used for authenticating users in LDAPv3: 

  • Simple – this authentication mechanism relies on directory entry name and password combinations which are usually delivered unencrypted via plain text and can be easily intercepted. 
  • Anonymous – this authentication is the least secure because the user accounts being verified are stored on a public LDAP database. 
  • SASL (Simple Authentication and Security Layer) – this is the most secure mechanism for LDAP authentication. 
  • SAML is another protocol used for SSO authentication, but unlike LDAP, it extends to other web apps and the cloud. 

LDAP authentication is supported by the following: 

  • Docker 
  • Jenkins 
  • Linux Samba Servers 
  • Open VPN 
LDAP protocol and cybersecurity risks 

When using the LDAP protocol there are cybersecurity risks involved, the most critical being LDAP injections. An LDAP injection is a cyberattack where code is injected through a web application to access sensitive information in an LDAP directory. An LDAP injection could result in account hijacking, a data breach, or user privilege escalation. 

How to avoid an LDAP injection attack

The threat from an LDAP injection can be minimised by using the following methods:  

  • Escape User-Controlled Input Strings – Turns malicious inputs into string values and not LDAP predicates. 
  • Enforce Server-Side Input Validation – All inputs must be validated against a list of permitted characters and strings. 
  • Implement Principe of Least Privilege – By securing the LDAP account required for binding a directory, LDAP queries will not be executed without authorisation. 

Get in touch with RiskXchange to find out more. 

How RiskXchange can help  

RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. 

With full visibility over your eco-systems‘ entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks.   

About RiskXchange 

RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cyber security risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world.  

RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyberattack by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security.  

Find out more here