黑料海角91入口

LDAP vs. LDAPS: Securing Auth to Legacy Apps

Written by David Worthington on June 8, 2021

Share This Article


Contents


Updated on July 8, 2024

Legacy application configurations may still use clear-text LDAP for some directory binds in a local environment, which was relatively harmless within the fortified LANs of yesteryear. Modern security baselines require encryption of all user credentials in transit to protect against password sniffing and other forms of credential theft. Today, LDAP authentications are more often crossing the public internet within remote and hybrid environments. That requires adding the appropriate security controls.

You may have heard that you need to configure legacy third-party apps to use Secure LDAP instead of clear-text LDAP. LDAPS (LDAP over SSL) and STARTTLS (LDAP over TLS) are both secure versions of LDAP that encrypt the authentication process. (Note that 鈥淟DAPS鈥 is often used to denote LDAP over SSL, STARTTLS, and a Secure LDAP implementation.) 

Switching from LDAP to LDAPS involves taking a close look at your directory service events log, manually identifying and switching the ports that legacy apps are using to bind to the directory, extracting CA (certificate authority) certificates to create the secure bind, and continued monitoring. The process can be cumbersome and time-consuming, but it鈥檚 doable 鈥 and, now more than ever, mandatory. 

Let鈥檚 take a closer look at the LDAP protocol, what makes LDAPS and STARTTLS secure, and how to implement a secure authentication process for legacy applications.

What Is LDAP? Essential Background   

LDAP (Lightweight Directory Access Protocol) is sometimes used as a synonym or shorthand for Microsoft Active Directory (AD). However, while much of AD鈥檚 functionality is built on LDAP, they鈥檙e not one and the same. AD leverages a proprietary version of Kerberos more often than LDAP to authenticate user access. LDAP is one of the protocols that many on-prem apps and other resources use to authenticate users against a core directory like AD or OpenLDAP.

Note:

Here鈥檚 a more in-depth look at how LDAP works. If you want to hear more about the protocol straight from its co-creator, check out our interview with Tim Howes:

What鈥檚 the Difference Between LDAP and LDAPS? 

LDAPS is an extension of the standard LDAP protocol. It uses TLS or SSL to encrypt LDAP packets, ensuring that data cannot be intercepted by third parties while in transit. It鈥檚 a significant improvement because credentials could be intercepted or a server response could be modified if it鈥檚 left unencrypted. 

What Are SSL and TLS?

SSL and TLS are cryptographic protocols that use certificates to establish a secure connection between client and server before any data (in this case, LDAP) is exchanged. TLS is an improved version of SSL, making STARTTLS more secure and recommended over both LDAP and LDAPS where possible.

TLS provides better security, stronger encryption, and improved negotiation mechanisms compared to SSL. That鈥檚 mainly because TLS uses stronger cryptographic algorithms for encryption and authentication and makes it difficult to decrypt session data.

Secure LDAP is replacing LDAP as the accepted standard directory protocol due to the rise in security risks and increasing need for in-transit encryption. The following describes how IT administrators can implement this change.

How Is LDAPS Implemented?

LDAP and Secure LDAP are typically enabled at the root level, making Secure LDAP available to all directory binds. It鈥檚 easier to set up using cloud-hosted LDAP environments, because it鈥檚 made available in the LDAP platform. AD, on the other hand, requires that you on the domain controller or global catalog.聽

It鈥檚 important to understand that AD doesn鈥檛 automatically force LDAPS unless you set it to do so; requiring LDAPS binds immediately could break binds with resources that still use plain-text LDAP. In either case, you can update legacy binds by combing through your bound resources to find and change LDAP binds to Secure LDAP.

Note:

Insecure LDAP binds pose a significant problem in AD due to security risks like exposing domain admin account credentials in cleartext, data exfiltration/manipulation, or privilege elevation. Microsoft recommends subscribing to its security services to protect identities if your organization is using AD, which it deems a legacy product.

When binding with LDAPS, many applications require you to upload a Peer Certificate Authority; and , a cloud-hosted LDAP service.聽

黑料海角91入口

黑料海角91入口 Cloud LDAP

Upgrading Windows Server or OpenLDAP? Try 黑料海角91入口 to securely manage LDAP in the modern era of IT

It鈥檚 important to understand auditing. You can find and fix unsecured binds individually by combing through your directory service event log 鈥 any application using a port other than 636 and 3269 should be investigated. In AD, most of the culprits will show connections via port 2889. For OpenLDAP, the port is often 389.聽

Note:

Datacenter management consultant Kurt Roggen lays out of this process on his blog.

Which Port Does LDAPS Use by Default?

LDAPS uses port 636 by default. Communication over this port is encrypted for data security. LDAPS requires properly configured SSL/TLS certificates on the server to establish a secure connection. In contrast, port 389 is used for unencrypted LDAP or LDAP with STARTTLS, which upgrades the connection to use TLS. 

The choice between these ports depends on security requirements and server/client configurations.

Do I Still Need LDAP/LDAPS? 

Given some of the workarounds necessary in order to use LDAP securely, you might be wondering whether the protocol still has a place in the modern IT landscape. The short answer is that it does: Although the transfer of workloads to the cloud has led to the rise of other authentication protocols, many hardware and software solutions on-prem and at data centers still use LDAP. Tim Howes summed it up well at the :

鈥淵ou look at the world moving more and more to the cloud, but there鈥檚 still a world left behind in your local environment 鈥 you鈥檝e got devices, you鈥檝e got printers, you鈥檝e got everything. People also need to be authenticated in these different contexts.鈥

So the question becomes less 鈥淒o I still need LDAP,鈥 and more 鈥淚s there a better way to securely manage LDAP in the modern era of IT?鈥

A Modern Approach to LDAP & LDAPS

If you go through the evaluation process above and discover more than a handful of unsecured LDAP connections, this is likely a sign that your directory and applications need an update. Before you commit to the cost of upgrading your Windows Server or OpenLDAP and any associated hardware, you may want to consider a more modern and comprehensive solution for LDAP management.

What if, instead of doubling down on AD or on-prem OpenLDAP, you could migrate your users and systems to an entirely new directory hosted in the cloud? Your new directory could securely manage both authorization and authentication for a wide variety of resources in the cloud and on-prem, with Secure LDAP functionality included and all data in transit automatically encrypted. Learn more about 黑料海角91入口鈥檚 cloud LDAP management.

David Worthington

I'm the 黑料海角91入口 Champion for Product, Security. 黑料海角91入口 and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter