Monday, June 15, 2020

LDAP Binds and LDAPS

Bind operations are used to authenticate clients to the Domain Controller, to establish an authorization identity that will be used for subsequent operations processed on that connection, and to specify the LDAP protocol version that the client will use.

This LDAP authentication process supports three types:

  1. Simple bind
  2. Simple Authentication and Security Layer (SASL) bind
  3. Sicily bind


Simple Bind

With a LDAP Simple Bind, the credentials of a user, that are used to bind the LDAP client to the Domain Controller are unencrypted.

SASL

SASL is the term for a framework of mechanisms that allow for secured authentication to take place over an unencrypted or encrypted communications channel. In this case Kerberos V5 is used for authentication. Most Microsoft Consoles using SASL to authenticate.

Sicily authentication

Active Directory also supports this authentication approach during LDAP binds and is intended for compatibility with legacy systems and will result in NTLM being used as underlying authentication protocol.


So let´s clarify what´s LDAPS about... 

LDAPS

It's a mechanism that uses TLS to secure communication between LDAP clients and Domain Controllers to avoid insecure simple bind or securing auth for clients that are not supporting SASL.

The following scenarios are possible:

LDAPS over port 636 (DC) or port 3269 (GC) where the connection is immediately secured by the certificate. SSL/TLS is negotiated before any LDAP traffic happens.

LDAP using StartTLS over port 389 (DC) or 3268 (GC) where the StartTLS operation is used to establish secure communications. It requires the LDAP client to support StartTLS operation.


No comments:

Post a Comment