One of the issues with using LDAP as an “Authentication” protocol for applications is that this usually means LDAP simple binds.  LDAP simple binds by default will pass the userId and userPassword in clear text between the client and the server.  This means that anyone or anything with access to that communication path can view the details and gain access to sensitive information.  It seems that because of how easy LDAP is to use,  applications tend to default to using simple binds for passing credentials to Active Directory (AD), which could pose security issues in your environment.

“But we are in a secure switched network environment.”

That is something I hear all the time, as an excuse why simple LDAP binds over SSL are not enforced requirements.   In reality, you are only limiting your exposure, not eliminating it in a switched network environment.  The same reasoning is often used with HTTP vs HTTPS, and it’s a false sense of security allowing for sensitive data to be submitted as clear text.

Issues with plaintext communications

The reality is, yes the network transport exposure is limited compared to a shared pipe, but the end points are still wide open.

Some of the points of concern would be:

  • LDAP traffic in the clear can be sniffed on the server/client endpoints very easily, and can be an easy way to capture sensitive information.
  • Network port mirroring to allow sniffing as part of troubleshooting.  The application owners, administrators maybe contractors or 3rd party consultants for an application which now have access to viewing the user credentials in the clear.  On a shared server environment,  where multiple applications are hosted, troubleshooting one by network sniffing, may expose visibility to credentials being passed to another unsecured application on the same server.
  • ARP Cache poisoning has been shown to be a way of getting to be the man in the middle allowing capturing of that conversation, and placing an attacking box watching your LDAP server without TLS would be a prime target for such an attack.
  • In theory,  a simple trojan could be installed on a client unwittingly can be set to listen for LDAP bind attempts within your enterprise because LDAPS is so uncommonly enforced.

Securing communications via SSL/TLS

To mitigate this,  the simplest way is to NOT use LDAP simple binds, and utilize a SASL bind which support the GSSAPI and can  use real authentication protocols like Kerberos via a  when authenticating users.  Of course this is not realistic, because LDAP has become the the lowest common denominator as far as application integration goes.  Many applications consider supporting LDAP as all they need to connect to Active Directory, and unfortunately convenience seems to outweigh security.

By utilizing SSL,  the transport is encrypted, and is hidden from any network sniffing attempts on both the client and the server endpoints. SSL is a oneway mechanism which identifies the trusted served to the client to open a secure tunnel for passing sensitive data protecting it from 3rd party viewing. While unencrypted traffic can be useful for troubleshooting, it is a better practice to require SSL for applications which utilize a simple bind if a SASL bind is not possible.  One of the drawbacks of SSL is that it does require a PKI infrastructure to be in place that supports issuing Server Authentication certificates to the directory server.  The clients also need to have the certificate hierarchy as a trusted chain in order to establish an SSL connection.  There is also an overhead for SSL communications as there are performance implications for encrypting all traffic as well, yet on today’s robust and often overpowered hardware, this should be an issue only for few deployments.

In the absence of certificates, Kerberos can also be used to Sign and Seal the conversation when using a Windows to Windows client and server which supports Kerberos, but this may leave out other platforms.

TLS is the modern, more secure, successor to SSL and can be used as a mutual (Client and Server) authentication mechanism to secure the connection as well, but I personally have not seen many applications from vendors widely supporting this.

Securing ADAM binds

When using an ADAM instance you can enforce the using of Secure Simple Binds by setting the RequireSecureSimpleBind and RequireSecureProxyBind values to 1 in the configuration of the instance.  It is important to note, that it will not stop the accepting of clear text bind attempts, but they will not successful.  So applications which are a not using LDAPS will not be able to bind, and will hopefully resolve the problem quickly if capable by switching to LDAPs.

Applications are the toughest to secure

So while in most cases the directory infrastructure can be configured quite simply to support SSL/TLS for simple bind operations,  it is the applications that must be configured to use the secure ports that will be the hardest task to implement.  Unfortunately this would require baseline security requirements for applications within your environment, which may not meet the business requirements if a much needed application does not have support for secure LDAP.   It will be up to your environment to which requirement trumps the other, but hopefully a secure environment is the preferred mind set.

Some External References:

How to enable LDAP over SSL with a third-party certification authority

ADSI Does a Simple Bind When You Specify ADS_USE_SSL

How to troubleshoot LDAP over SSL connection problems

Securing SunOne LDAP Directory with LDAP over SSL Cookbook

Sun’s JAVA LDAP SDK: Connecting to LDAP over SSL

SSL LDAP and OSX Leopard (10.5) issue

Disable simple bind without SSL on ADAM

ADAM Can be Forced to Only Allow Simple Bind on a Secure Channel

Troubleshooting LDAP over SSL

Lotus Domino SSL issue with using 4096bit certificates for SSL

  • I totally agree. Use SSL! One thing that is nice is that you can actually disable the ability to do unsecure simple binds on AD and ADAM. I have a post about this regarding ADAM here:
    <a href="…/ADAMCanBeForced” target=”_blank”>…/ADAMCanBeForced

  • I agree too but as you said PKI is a huge drawback when you think about a huge network. I know ppl does say "well it is easy to get certs to all". Yeah but it needs a very good planning.

  • Eric Huebner

    You can use public certificates from VeriSign and the like and it is a lot less of a problem since most Certificate Clients include the base certificates for public authorities like VeriSign.
    Some of the hardest challenges with LDAP come in two areas:
    1) Responses
    2) Availability
    In #1, LDAP is the "ODBC of the Directory." It doesn't care if your account is disabled, locked out, password expired or the like. The response is a binary pass/fail and no inkling about why your account is not 100% good to go without a lot of custom code.
    #2, LDAP is not inherently fault tolerant. You're only availability option is IP Load balancing in either hardware or software using persistent “sticky” connections since LDAP is connection oriented. Your application must also be able to handle an unexpected disconnection by checking for errors on every transaction. Bind/Unbind Session creation and tear down is expensive but long lasting connections to the directory are more likely to timeout or to be lost due to network and server conditions. Plus, you will have some fun crafting certificates that the OS will accept and recognize as well as contain the DNS alias name for you virtual, load balancer. Oh, and the SSL cert MUST be on the ADAM server if you intend on changing passwords as ADAM won't recognize the SSL connection if it is on the load balancer.
    Of course in the end, the key question is if the application is using SSL between it and the user. 🙂

  • RE: LDAP over SSL/TLS: How secure is your Directory?

    Pingback from Lotus Domino LDAP SSL certificate issue :