LDAP (Lightweight Directory Access Protocol)
LDAP (Lightweight Directory Access Protocol) is an open, vendor-neutral application protocol used for accessing and managing distributed directory information services, commonly used for user authentication and directory lookups in enterprise environments.
LDAP is widely used in conjunction with Active Directory and other directory services to query and modify user accounts, groups, organizational units, and other directory objects. It provides a hierarchical structure for organizing information and supports operations like search, add, delete, and modify. LDAP is fundamental to centralized identity management in enterprise environments.
From a security perspective, LDAP presents several risks. LDAP injection attacks occur when user-supplied input is incorporated into LDAP queries without proper sanitization, allowing attackers to manipulate queries and potentially access or modify unauthorized data. Anonymous LDAP binding, if enabled, can expose sensitive directory information. Unencrypted LDAP traffic (port 389) transmits credentials and data in plaintext.
Securing LDAP involves enforcing LDAPS (LDAP over SSL/TLS on port 636) or StartTLS to encrypt all communications, disabling anonymous binds, implementing input validation to prevent LDAP injection, using service accounts with minimal permissions for application binds, enabling audit logging for LDAP operations, and regularly reviewing access control lists on directory objects. Channel binding and LDAP signing further protect against relay and man-in-the-middle attacks.