Is it secure to be using LDAP, or is LDAPS the only secure option?

  • I am currently using an LDAP setup. I am wondering if it is secure from Man-in-the-middle attacks or other vulnerabilities?

    Have you done any research on the topic? I found this with Google: http://jeftek.com/195/ldap-over-ssltls-how-secure-is-your-directory/ Is there anything there that does not apply to your situation?

  • Tom Leek

    Tom Leek Correct answer

    7 years ago

    LDAP, by itself, is not secure against active or passive attackers:

    • Data travels "as is", without encryption, so it can be spied upon by passive attackers.
    • Active attackers can manipulate the stream and inject their own requests or modify the responses to yours.

    At best, basic LDAP may rely on some authentication mechanism (through SASL) which is not trivially broken by an attacker: if the authentication is of the "show the password" type, then a passive eavesdropper can learn the password and then connect to the server with your identity; slightly more advance protocols, like CRAM-MD5, avoid that specific problem, but will still do nothing against attackers hijacking your connections or spying on your actual requests and responses.

    So, really, if you value your security, then use SSL (i.e. "LDAPS"). In many respects, this is just like HTTP vs HTTPS.


    As a side note, the Active Directory protocol from Microsoft, which builds up on LDAP, optionally offers a "sign & encrypt" feature, which appears to be some sort of cryptographic protocol embedded within LDAP (i.e. like LDAPS, but in reverse order), which might ensure enough security. I have not seen any decently detailed specification for that protocol, though, so I still recommend LDAPS in that case.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM