Home     Blog

LDAP Security Issues

RFC 2829 – Authentication Methods for LDAP defines the basic threats to an LDAP directory service:

  1. Unauthorized access to data via data-fetching operations,
  2. Unauthorized access to reusable client authentication information by monitoring others' access,
  3. Unauthorized access to data by monitoring others' access,
  4. Unauthorized modification of data,
  5. Unauthorized modification of configuration,
  6. Unauthorized or excessive use of resources (denial of service), and
  7. Spoofing of directory: Tricking a client into believing that information came from the directory when in fact it did not, either by modifying data in transit or misdirecting the client's connection.

Threats (1), (4), (5) and (6) are due to hostile clients. Threats (2), (3) and (7) are due to hostile agents on the path between client and server, or posing as a server.

LDAP Security Issues LDAP Security Issues

Protecting LDAP Security

RFC 2829 – Authentication Methods for LDAP also defines the mechanisms by which the LDAP protocol suite can be protected:

  1. Client authentication by means of the SASL mechanism set, possibly backed by the TLS credentials exchange mechanism,
  2. Client authorization by means of access control based on the requestor's authenticated identity,
  3. Data integrity protection by means of the TLS protocol or data-integrity SASL mechanisms,
  4. Protection against snooping by means of the TLS protocol or data-encrypting SASL mechanisms,
  5. Resource limitation by means of administrative limits on service controls, and
  6. Server authentication by means of the TLS protocol or SASL mechanism.

LDAP Authentication Types

LDAP v3 specifies three authentication types:

  • No Authentication
  • Basic Authentication
  • Simple Authentication and Security Layer (SASL)

The use of "No Authentication" is acceptable when sharing public data.

Basic Authentication is similar to Basic Authentication under HTTP. Authentication is accomplished through the use of a DN (Distinguished Name) and a password. This data is sent either in plaintext or encoded using Base64 encoding.

SASL (Simple Authentication and Security Layer) is a framework for plugging in alternative security mechanisms. These security mechanisms include:

  • Kerberos Version 4
  • S/Key
  • GSSAPI
  • CRAM-MD5
  • TLS
  • ANONYMOUS
VN:F [1.9.17_1161]
Rating: 0.0/10 (0 votes cast)
Follow Will.Spencer on

Leave a Reply

Related Posts

  • LDAP (Lightweight Directory Access Protocol)

    LDAP (Lightweight Directory Access Protocol) is a protocol for communications between LDAP servers and LDAP clients. LDAP servers store "directories" which are access by LDAP clients. LDAP is called lightweight because it is a smaller and easier protocol which was derived from the X.500 DAP (Directory Access Protocol) defined in the OSI network protocol stack. [...]...


  • Identifying Security Issues Common to All Server Roles

    Physical Security Issues Server security is basically one of the initial security requirements when you install any server operating system. Servers have to be physically secure from physical threats such as physical unauthorized access. Physical security prevents an individual from physically accessing your server, and performing malicious actions. A few guidelines and recommendations for implementing [...]...


  • IPSec Security Considerations

    Securing the Network When planning for and implementing network security, the activities which you should be performing would typically involve the following: Planning how the network infrastructure will be secured from both internal and external threats. Defining and creating internal and external security boundaries. Implementing network security technologies and mechanisms that can assist the organization [...]...


  • How to Configure Wireless Security

    Wireless security is used to limit the scope of users that have access to services you install when implementing a wireless access point or wireless router device. These devices are used to provide convenient intranet and/or Internet access without having to run cable through buildings or other areas of coverage where return on investment is [...]...


  • SAML (Security Assertion Markup Language)

    SAML is the Security Assertion Markup Language. SAML is a derivative of XML which is designed for the exchange of authentication and authorization data. The purpose of SAML is to enable Single Sign-On for web applications. SAML utilizes TLS to ensure the confidentiality of authentication and authorization data during transit. SAML Standards SAML is defined [...]...