Forum Discussion

Gan_Seng_Kwang's avatar
Gan_Seng_Kwang
Copper Contributor
Mar 22, 2023

LDAP 389 - Can we disable it

Hi,   I will like to find out more about LDAP. 1. Can we disable LDAP 389 and replace by LDAPS 636 fully? 2. I know that LDAP is sending out data in clear text, does this include password or will...
josequintino's avatar
josequintino
MCT
Mar 29, 2023

 

  1. Yes, you can disable LDAP on port 389 and fully replace it with LDAPS on port 636. LDAPS is the secure version of LDAP that uses SSL/TLS encryption to protect communications between the client and server. To make this replacement, you'll need to configure and enable SSL/TLS support on the LDAP server and update the LDAP client settings to connect to the server using LDAPS on port 636. Please note that after disabling LDAP on port 389, clients still using that configuration won't be able to connect to the LDAP server until their settings are updated.

  2. When LDAP is used without encryption (on port 389), the information is transmitted in plaintext, which means that someone intercepting the network traffic can read the data, including passwords. Passwords are not necessarily represented as hexadecimal values but as plain text strings. This makes the LDAP protocol vulnerable to "sniffing" or eavesdropping attacks, especially when transmitting passwords and sensitive information. By using LDAPS (on port 636) or StartTLS, you add an SSL/TLS encryption layer, protecting the transmitted information from being intercepted and read by third parties.

aditya333's avatar
aditya333
Copper Contributor
Sep 22, 2023
is it possible to deactivate LDAPv2 completely on server side and only allow LDAPv3?
  • josequintino's avatar
    josequintino
    MCT
    Sep 22, 2023
    Hi aditya333
    Certainly, here are more detailed steps for disabling LDAPv2 and enabling LDAPv3 on the server side, using the example of OpenLDAP, which is a popular open-source LDAP server software. Please adapt these steps to your specific LDAP server software as needed:

    Note: Always make sure to backup your LDAP server configuration files before making any changes to them, and thoroughly test changes in a non-production environment before applying them to a production system.

    1. Identify OpenLDAP Configuration Files
    - OpenLDAP typically uses a configuration file named `slapd.conf` or `slapd.conf.d` (for newer versions).
    - The location of the configuration file can vary depending on your system and how OpenLDAP was installed.

    2. Edit the Configuration File
    - Use a text editor to open the `slapd.conf` or relevant configuration file for your OpenLDAP installation.

    3. Locate Protocol Configuration
    - Inside the configuration file, locate the section that deals with protocol configuration. This section may be named something like `# Global Directives` or `# LDAP Backend Configuration`.

    4. Disable LDAPv2
    - To disable LDAPv2, you can add or modify the following directive:

    allow bind_v2 false

    5. Enable LDAPv3
    - By default, LDAPv3 is typically enabled in OpenLDAP. However, you can ensure that it's enabled by verifying that there are no directives explicitly disabling it.

    6. Save the Configuration File
    - Save your changes to the configuration file.

    7. Restart OpenLDAP
    - Restart the OpenLDAP server to apply the new configuration. The command to do this depends on your operating system but might look something like:

    systemctl restart slapd

    8. Test LDAPv3
    - To verify that LDAPv2 has been disabled and LDAPv3 is active, you can use an LDAP client that supports LDAPv3.
    - Attempt to connect to the LDAP server using LDAPv2. The server should either reject the connection or negotiate the use of LDAPv3.
    - You can use command-line tools like `ldapsearch` to test the connection.

    9. Monitor Logs and Access
    - Continuously monitor the server logs for any unexpected behavior.
    - Ensure that all LDAP client applications are configured to use LDAPv3 as well.

    10. Documentation and Support
    - Refer to the official OpenLDAP documentation for more details on configuration options and troubleshooting.
    - Join the OpenLDAP community or forums for support and guidance from experienced users.

    Please note that the steps and configuration file locations can vary based on your specific OpenLDAP version and the operating system you're using. Always refer to the documentation for your LDAP server software for the most accurate and up-to-date information on configuration options.
    • aditya333's avatar
      aditya333
      Copper Contributor
      Oct 11, 2023

      Hi josequintino . Thanks for the steps. I am using Active Directory as my LDAP Server. As you mentioned the steps should be similar to OpenLdap but if you can please share me the steps to disable ldapv2 and enable ldapv3 for AD - it would greatly help.

      • josequintino's avatar
        josequintino
        MCT
        Feb 28, 2024
        Hello aditya333

        The process of disabling LDAPv2 and enabling LDAPv3 in Active Directory (AD) is inherently managed by the AD system itself, as it natively supports LDAPv3. In fact, modern Active Directory installations do not support LDAPv2 out of the box due to its outdated and less secure nature.

        Here are the steps to ensure that LDAPv3 is used and to restrict the use of LDAPv2:

        1. Verify LDAPv3 Support:
        - Active Directory supports LDAPv3 by default. You can confirm the LDAP version by examining the RootDSE using a tool like `ldp.exe` or `adsiedit.msc`.
        - To view the supported LDAP versions, you can connect to your AD LDAP service using `ldp.exe`, bind to the server, and then view the `supportedLDAPVersion` attribute in the RootDSE.

        2. Disable LDAPv2 (if necessary):
        - It is unlikely that you will need to disable LDAPv2 explicitly as it is not supported in modern AD environments. However, if you are using an older version of AD and need to disable LDAPv2, you might need to make registry changes or apply group policy settings. Since modifying the registry can be risky, it is highly recommended that you back up your registry before proceeding and ensure that you are working on a test environment first.
        - You would need to navigate to `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters` and ensure that the `LDAPServerIntegrity` is set to enforce LDAP signing, which inherently requires LDAPv3.

        3. Enforce LDAP Signing:
        - To improve security, you should enforce LDAP signing. This can be done through Group Policy:
        - Open `Group Policy Management Console` (gpmc.msc).
        - Navigate to `Default Domain Controllers Policy`.
        - Go to `Computer Configuration` -> `Policies` -> `Windows Settings` -> `Security Settings` -> `Local Policies` -> `Security Options`.
        - Find and enable the policy `Domain controller: LDAP server signing requirements` and set it to `Require signing`.

        4. Test Your Configuration:
        - After you have made the changes, test your LDAP clients to ensure they can connect and authenticate using LDAPv3.
        - Use tools like `ldp.exe` on a Windows machine or `ldapsearch` on Linux to verify that the connection is successful and that no clients are attempting to use LDAPv2.

        5. Monitor and Review Logs:
        - Check your Directory Service logs in the Event Viewer for any warnings or errors that might indicate an issue with the LDAP service.
        - Look for event IDs related to LDAP such as 1220, 2886, 2887, 2888, and 2889 which can give you more information about LDAP signing and binding.

        Please note that making these changes can affect any applications or services that are dependent on LDAP. Ensure that you inform your stakeholders about the changes and that your applications support LDAPv3 before making these modifications.

        If you have legacy applications that require LDAPv2, you will need to plan to update or replace these applications as they will not be compatible with these security settings.

        Kind regards.

Resources