Forum Discussion

Gan_Seng_Kwang's avatar
Gan_Seng_Kwang
Copper Contributor
Mar 22, 2023

LDAP 389 - Can we disable it

Hi,   I will like to find out more about LDAP. 1. Can we disable LDAP 389 and replace by LDAPS 636 fully? 2. I know that LDAP is sending out data in clear text, does this include password or will...
josequintino's avatar
josequintino
MCT
Mar 29, 2023

 

  1. Yes, you can disable LDAP on port 389 and fully replace it with LDAPS on port 636. LDAPS is the secure version of LDAP that uses SSL/TLS encryption to protect communications between the client and server. To make this replacement, you'll need to configure and enable SSL/TLS support on the LDAP server and update the LDAP client settings to connect to the server using LDAPS on port 636. Please note that after disabling LDAP on port 389, clients still using that configuration won't be able to connect to the LDAP server until their settings are updated.

  2. When LDAP is used without encryption (on port 389), the information is transmitted in plaintext, which means that someone intercepting the network traffic can read the data, including passwords. Passwords are not necessarily represented as hexadecimal values but as plain text strings. This makes the LDAP protocol vulnerable to "sniffing" or eavesdropping attacks, especially when transmitting passwords and sensitive information. By using LDAPS (on port 636) or StartTLS, you add an SSL/TLS encryption layer, protecting the transmitted information from being intercepted and read by third parties.

  • aditya333's avatar
    aditya333
    Copper Contributor
    Sep 22, 2023
    is it possible to deactivate LDAPv2 completely on server side and only allow LDAPv3?
    • josequintino's avatar
      josequintino
      MCT
      Sep 22, 2023
      Hi aditya333
      Certainly, here are more detailed steps for disabling LDAPv2 and enabling LDAPv3 on the server side, using the example of OpenLDAP, which is a popular open-source LDAP server software. Please adapt these steps to your specific LDAP server software as needed:

      Note: Always make sure to backup your LDAP server configuration files before making any changes to them, and thoroughly test changes in a non-production environment before applying them to a production system.

      1. Identify OpenLDAP Configuration Files
      - OpenLDAP typically uses a configuration file named `slapd.conf` or `slapd.conf.d` (for newer versions).
      - The location of the configuration file can vary depending on your system and how OpenLDAP was installed.

      2. Edit the Configuration File
      - Use a text editor to open the `slapd.conf` or relevant configuration file for your OpenLDAP installation.

      3. Locate Protocol Configuration
      - Inside the configuration file, locate the section that deals with protocol configuration. This section may be named something like `# Global Directives` or `# LDAP Backend Configuration`.

      4. Disable LDAPv2
      - To disable LDAPv2, you can add or modify the following directive:

      allow bind_v2 false

      5. Enable LDAPv3
      - By default, LDAPv3 is typically enabled in OpenLDAP. However, you can ensure that it's enabled by verifying that there are no directives explicitly disabling it.

      6. Save the Configuration File
      - Save your changes to the configuration file.

      7. Restart OpenLDAP
      - Restart the OpenLDAP server to apply the new configuration. The command to do this depends on your operating system but might look something like:

      systemctl restart slapd

      8. Test LDAPv3
      - To verify that LDAPv2 has been disabled and LDAPv3 is active, you can use an LDAP client that supports LDAPv3.
      - Attempt to connect to the LDAP server using LDAPv2. The server should either reject the connection or negotiate the use of LDAPv3.
      - You can use command-line tools like `ldapsearch` to test the connection.

      9. Monitor Logs and Access
      - Continuously monitor the server logs for any unexpected behavior.
      - Ensure that all LDAP client applications are configured to use LDAPv3 as well.

      10. Documentation and Support
      - Refer to the official OpenLDAP documentation for more details on configuration options and troubleshooting.
      - Join the OpenLDAP community or forums for support and guidance from experienced users.

      Please note that the steps and configuration file locations can vary based on your specific OpenLDAP version and the operating system you're using. Always refer to the documentation for your LDAP server software for the most accurate and up-to-date information on configuration options.
      • aditya333's avatar
        aditya333
        Copper Contributor
        Oct 11, 2023

        Hi josequintino . Thanks for the steps. I am using Active Directory as my LDAP Server. As you mentioned the steps should be similar to OpenLdap but if you can please share me the steps to disable ldapv2 and enable ldapv3 for AD - it would greatly help.

Resources