LDAP Authentication And Security

By Keren Pollack, on April 12th, 2021

Lightweight Directory Access Process (LDAP) is a user authentication process developed for directory services. This protocol is usually used by applications for searching resource information such as users and different system components. LDAP identifies a client’s properties with servers such as Active Directory, OpenLDAP, and Open DJ. It was first introduced in 1993 and since 1997 LDAP 3^rd version is the Internet standard for directory services.

In the common scenario, the client is a system or application requesting information access from a database in an LDAP server. The LDAP database can store not only usernames and passwords but other attributes such as an address, phone number, and other core user identities.

This blog post will cover:

what is LDAP authentication?
what is LDAP channel binding?
what is LDAP signing?
how to enable LDAP signing?
LDAP signing and channel binding requirements.
How to configure LDAP for max security.

What is LDAP authentication (LDAP simple bind)?

A good example to understand LDAP authentication is when an employee wants to connect the organizational network. Since most operations, in this case, will be when the employee is logging in the network, the most frequently used function will be ‘read’. The LDAP protocol is designed to handle an enormous amount of read operations.

There are two main components in the LDAP authentication mechanism:

LDAP Directory Server Setup – where the employee profile details are stored (username and password in this case).
LDAP client – the employee’s computer. It should have an LDAP client option setup. If the employee is going to authenticate through a web application, then the server hosting the application must be configured with an LDAP client.

LDAP authentication process has two stages:

Identifying the user’s directory attribute – The user entry is identified by its distinguished name (DN), which is the path to its details. In the first stage of the authentication, the user must obtain its DN and password. The user name usually requested in the login form is used to find the user’s DN. A function called DN Resolution takes the user name (or email in some cases) and runs a search to find all the user entries to find his DN. Once the correct user DN is resolved, the next step is to validate the user’s password.
Password validation – The user’s password is checked by a command called ‘bind’. The LDAP directory server receives a request to authenticate the user bypassing its DN and password. If the credentials are correct, the directory server returns success, and the connection is established.

What is LDAP channel binding?

When talking about channel binding it is usually referred to as binding the transport layer to the application layer.

LDAP channel binding is a method developed to increase security in communication with Active Directory (AD). LDAP channel binding lowers the chances for replay and man-in-the-middle attacks. The binding is between the LDAP application layer and the TLS tunnel. Binding these two will create a unique LDAP communication fingerprint. This unique fingerprint is important for security since any interference to the communication will affect the fingerprint and can be detected.

Unsigned LDAP Channel Binding Attacks- How to Mitigate Without Breaking Production:

Using LdapEnforceChannelBinding for LDAP TLS channel binding:

The first step in the process is to install the security update – CVE-2017-8563. Then, create the LdapEnforceChannelBindings registry entry. Note – Modifying the registry incorrectly will cause severe damage. Make sure you know what you’re doing before modifying it and consider backing up the registry before for extra precaution. These are the paths for changing the registry settings:

For Active Directory Domain Services:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

For Active Directory Lightweight Directory servers:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters

DWORD: LdapEnforceChannelBinding

DWORD value 0 = channel binding is disabled.

DWORD value 1 = channel binding is enabled, but clients using Windows that have not been updated to support channel binding, do not have to do so.

DWORD value 2 = channel binding is always enabled. All clients must support channel binding.

What is LDAP signing?

LDAP signing is also a way to increase LDAP security. The signing process refers to a digital signing of the LDAP traffic that is done by the traffic source (client). LDAP signing blocks attackers from altering the LDAP traffic during transit (like in Reply and Man-in-the-Middle attacks). Using LDAP signing guarantees information integrity and enables verification of the source of the information. You must configure both the Domain Controllers and clients to enable LDAP signing for it to work.

Domain Controller: LDAP Server Signing Requirements

How to Enable LDAP Signing:

For enabling LDAP signing in the server and the client you can either use Group Policy Object (GPO) or a registry key.

How to set a server LDAP signing GPO:

Go to ‘Default Domain Controller Policy’ > ‘Computer Configuration’ > ‘Policies’ > ‘Windows Settings’ > ‘Security Settings’ > ‘Local Policies’, and then select ‘Security Options’.
Right-click ‘Domain controller: LDAP server signing requirements’, and select Properties.
Enable ‘Define this policy setting’, select ‘Require signing’ in the ‘Define this policy setting list’, and then select OK.

How to set LDAP Singing at a client’s local computer policy:

Go to ‘Local Computer Policy’ > ‘Computer Configuration’ > ‘Policies’ > ‘Windows Settings’ > ‘Security Settings’ > ‘Local Policies’ and select ‘Security Options’.

Right-click ‘Network security: LDAP client signing requirements’ and select ‘Properties’.
In the dialog box, select ‘Require signing’ in the list, and then select OK.

How to set a server LDAP signing using a registry key:

Note! We recommend backing up your registry before pushing any changes, as mistakes can have devastating results.

You need to create an LDAPServerIntegrity registry entry of the REG_DWORD type under the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<InstanceName>\Parameters

*instance name= the name of the AD LDS you want to configure.

LDAP Signing and LDAP Channel binding requirements:

At the end of 2019, Microsoft released a note saying that from March 2020, enabling LDAP signing and channel binding will be a part of LDAP policy. The goal for this move was to increase LDAP communication security, but the chances for organizations to completely comply with this update were low. Therefore, Microsoft decided to postpone the update (and never set a new date for the update):

“Important The March 10, 2020, and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.”

How to configure domain controller for max LDAP security:

To improve the security of your directory server you can implement several configuration rules. These rules are best practices, and recommended also by the Center for Internet Security (CIS):

Ensure ‘LDAP server signing requirements’ is set to ‘Require signing’. – This policy setting will make clients use data signing.
Ensure ‘Extended Protection for LDAP Authentication (Domain Controllers only)’ is set to ‘Enabled: Enabled (recommended: always) – this setting controls LDAP authentication over SSL/TLS.
Ensure ‘Network security: LDAP client signing requirements’ is set to ‘Negotiate signing’ or higher – this policy sets the level of signing requested by the client who issues LDAP request.

Changing configurations as part of server hardening is critical for security but may cause severe damage. We strongly recommend using automation to prevent any possible outages in your production. The alternative for automation is using manual tools (GPO for example), testing the impact of the change in a lab environment, and hoping you covered all possible scenarios. By using automation in hardening, you will not be needing to test. You will get a full impact report to help you make the best decision for both security and operations. To find out more about hardening automation, continue your reading here.

Facebook

Twitter

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

LDAP Authentication and Security – Signing, Binding and Configuration

This blog post will cover:

What is LDAP authentication (LDAP simple bind)?

What is LDAP channel binding?

Using LdapEnforceChannelBinding for LDAP TLS channel binding:

What is LDAP signing?

How to Enable LDAP Signing:

How to set a server LDAP signing GPO:

How to set LDAP Singing at a client’s local computer policy:

How to set a server LDAP signing using a registry key:

LDAP Signing and LDAP Channel binding requirements:

How to configure domain controller for max LDAP security:

HQ

US OFFICE

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 8 months 26 days 14 hours	No description
drift_campaign_refresh	30 minutes	No description
fpestid	1 year	No description
st_samesite	session	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Learn how our tools can help you with hardening

LDAP Authentication and Security – Signing, Binding and Configuration

This blog post will cover:

What is LDAP authentication (LDAP simple bind)?

What is LDAP channel binding?

Using LdapEnforceChannelBinding for LDAP TLS channel binding:

What is LDAP signing?

How to Enable LDAP Signing:

How to set a server LDAP signing GPO:

How to set LDAP Singing at a client’s local computer policy:

How to set a server LDAP signing using a registry key:

LDAP Signing and LDAP Channel binding requirements:

How to configure domain controller for max LDAP security: