Lightweight Directory Access Protocol
- Communication mechanisms for "directory information services"
- Alternative to x500 "directory access protocols"
- Registration capabilities
- Defined in RFC 4511
- Centralized AAA, as well as directory services
- If we are using Open LDAP, it will be the communication protocol to target that particular server
- TCP 389
- Traffic passing from client to Active directory through port TCP 389
- Regular default port
LDAPv3 Authentication
- Simple vs Simple Authentication & Security Layer (SASL)
- SSL was propietary, and then became TLS - Transport Layer Security, what we use today as a standarized version of it
- x509v3
- Simple has three authentication mechanisms
- Anonymous
- Unauthenticated
- Authenticated
- SASL is extensible!
- SASL is a framework that handles authentication data thats gonna move from a client to a server
- Authentication framework
- Modular system
- Can work with different types of authentication
- Different hashing algorithms: SHA_256
- Key space doubles every time we add a bit
- Active Directory is a Service, LDAP is a protocol
Secure LDAP
- LDAP can be sniffed
- TLS/SSL will require the configuration of PKI - Public Key Infrastructure
- Server sends in a certificate request, can you give me a formal x509v3 certificate?
- In order to have a certificate to use TLS/SSL you will need to have a digital certificate
- Server side authentication
- After authentication you can leverage the requirements to encrypt traffic
- All LDAP traffic will be secured within the TLS channel
- That CA server as a trusted root certificate authority
- The client says yeah I can verify the authenticity of that server.
- A client uses a traditional Username and Password, a server uses a Certificate
- Mutual authentication happening every time
- TCP 636
- TDP 3269 for global catalog server