LDAP Over SSL
LDAP Over SSL
25 October 2021
What is LDAP
The Lightweight Directory Access Protocol is an open source and cross platform protocol which helps applications to communicate with other directory services. By default the communication between the client and server is not encrypted which makes the communication between client and server vulnerable to network monitoring. This can compromise the credentials sent over LDAP. While using LDAP with AD the it is enabled at domain controller level
What is LDAPS
LDAPs is not fundamentally a different protocol than LDAP. LDAPS uses the SSL protocol for communication which uses the encrypted format for passing the credentials. The SSL uses certificates to establish a secure connection between client and server.
Following are the reasons for enabling LDAP over SSL:
- When authentication with Active directory domain services it uses simple bind. The simple bind exposes the credentials as clear text. To avoid this use LDAP over SSL.
- The applications integrated with Active Directory need encrypted communications. So to encrypt LDAP communication with AD, enable LDAP over SSL.
Enabling LDAP over SSL:
LDAP over SSL will be automatically enabled when the enterprise root CA certificate on a domain controller is installed.
Following are some requirements for using the LDAPS:
- The LDAPS certificates should be placed in the local computer’s certificate store.
- The private key associated with the certificate should be present in the local computer certificate store.
- The certificate should be issued by CA with domain controller and clients trust.
How LDAPS works
By default, LDAP communicates using port 389. To use LDAPS, port 636 should be used. The Microsoft SSL provider selects the first certificate in the local computer store. If there are many certificates in the local computer store it may not select the valid certificate.
- As a first step the client sends requests asking for credentials and other data.
- Once the request is initiated the LDAPS binds the LDAPS user with the LDAPS server.
- The request is validated with the certificates available on the server.
- The LDAPS processes the request with it’s internal language and communicates with directory services and provides the response to the client.
- After the client receives the response it unbinds from the server and processes the response as required.