Forum Discussion

Gan_Seng_Kwang's avatar
Gan_Seng_Kwang
Copper Contributor
Mar 22, 2023

LDAP 389 - Can we disable it

Hi,

 

I will like to find out more about LDAP.

1. Can we disable LDAP 389 and replace by LDAPS 636 fully?

2. I know that LDAP is sending out data in clear text, does this include password or will password be represented by hex value?

 

Thanks.

8 Replies

  • josequintino's avatar
    josequintino
    MCT
    Mar 29, 2023

     

    1. Yes, you can disable LDAP on port 389 and fully replace it with LDAPS on port 636. LDAPS is the secure version of LDAP that uses SSL/TLS encryption to protect communications between the client and server. To make this replacement, you'll need to configure and enable SSL/TLS support on the LDAP server and update the LDAP client settings to connect to the server using LDAPS on port 636. Please note that after disabling LDAP on port 389, clients still using that configuration won't be able to connect to the LDAP server until their settings are updated.

    2. When LDAP is used without encryption (on port 389), the information is transmitted in plaintext, which means that someone intercepting the network traffic can read the data, including passwords. Passwords are not necessarily represented as hexadecimal values but as plain text strings. This makes the LDAP protocol vulnerable to "sniffing" or eavesdropping attacks, especially when transmitting passwords and sensitive information. By using LDAPS (on port 636) or StartTLS, you add an SSL/TLS encryption layer, protecting the transmitted information from being intercepted and read by third parties.

    • aditya333's avatar
      aditya333
      Copper Contributor
      Sep 22, 2023
      is it possible to deactivate LDAPv2 completely on server side and only allow LDAPv3?
      • josequintino's avatar
        josequintino
        MCT
        Sep 22, 2023
        Hi aditya333
        Certainly, here are more detailed steps for disabling LDAPv2 and enabling LDAPv3 on the server side, using the example of OpenLDAP, which is a popular open-source LDAP server software. Please adapt these steps to your specific LDAP server software as needed:

        Note: Always make sure to backup your LDAP server configuration files before making any changes to them, and thoroughly test changes in a non-production environment before applying them to a production system.

        1. Identify OpenLDAP Configuration Files
        - OpenLDAP typically uses a configuration file named `slapd.conf` or `slapd.conf.d` (for newer versions).
        - The location of the configuration file can vary depending on your system and how OpenLDAP was installed.

        2. Edit the Configuration File
        - Use a text editor to open the `slapd.conf` or relevant configuration file for your OpenLDAP installation.

        3. Locate Protocol Configuration
        - Inside the configuration file, locate the section that deals with protocol configuration. This section may be named something like `# Global Directives` or `# LDAP Backend Configuration`.

        4. Disable LDAPv2
        - To disable LDAPv2, you can add or modify the following directive:

        allow bind_v2 false

        5. Enable LDAPv3
        - By default, LDAPv3 is typically enabled in OpenLDAP. However, you can ensure that it's enabled by verifying that there are no directives explicitly disabling it.

        6. Save the Configuration File
        - Save your changes to the configuration file.

        7. Restart OpenLDAP
        - Restart the OpenLDAP server to apply the new configuration. The command to do this depends on your operating system but might look something like:

        systemctl restart slapd

        8. Test LDAPv3
        - To verify that LDAPv2 has been disabled and LDAPv3 is active, you can use an LDAP client that supports LDAPv3.
        - Attempt to connect to the LDAP server using LDAPv2. The server should either reject the connection or negotiate the use of LDAPv3.
        - You can use command-line tools like `ldapsearch` to test the connection.

        9. Monitor Logs and Access
        - Continuously monitor the server logs for any unexpected behavior.
        - Ensure that all LDAP client applications are configured to use LDAPv3 as well.

        10. Documentation and Support
        - Refer to the official OpenLDAP documentation for more details on configuration options and troubleshooting.
        - Join the OpenLDAP community or forums for support and guidance from experienced users.

        Please note that the steps and configuration file locations can vary based on your specific OpenLDAP version and the operating system you're using. Always refer to the documentation for your LDAP server software for the most accurate and up-to-date information on configuration options.
  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Mar 22, 2023

    Gan_Seng_Kwang 
    The MDI sensor can support using LDAPS instead of LDAP.

    It requires a support call to change it in the backend.

    Keep in mind that you need ports 636 and 3269 opened.

    Also, this will effect ALL your sensors in the workspace,  you can't set it partially, it's all or nothing.

    Failing to have the ports open will cause the sensors starting failures in worst case scenario, and partil detection best case.

  • thalpius's avatar
    thalpius
    Brass Contributor
    Mar 22, 2023

    I don't think you can disable LDAP, but what you can do is forcing your application to use LDAPS.

    Yes, LDAP is a plaintext protocol and hexadecimal is just a representation of bits. It has nothing to do with "encryption, obfuscation" etc. so it's still "plaintext". You can take a look at LDAP over TLS though.

Resources