LDAP and Firewalls

 

Overview

The ldap server is rarely invoked directly by users and is mostly called by other programs.

LDAP is a TCP-based service. Servers use port 389. Clients use ports above 1023.

Windows Active Directory Service uses an extra server, the global catalog server, that also uses LDAP but uses port 3268 for unsecured access and 3269 for SSL-secured access.

Direction Source Port Destination Port ACKSet
In >1023 389 Not set on the first packet
Out 389 >1023 Yes
In >1023 636 Not set on the first packet
Out 636 >1023 Yes
Out >1023 389 Not set on the first packet
In 389 >1023 Yes
Out >1023 636 Not set on the first
In 636 >1023 Yes

Do not make internal LDAP servers accessible to the Internet. LDAP servers pass information unencrypted, so snooping is possible. If you provide LDAP service to the Internet, use a dedicated LDAP server that does not contain confidential information or a proxy that will control access to data.

Another way to secure LDAP is to only allow VPN tunnels into your network.

There is an encrypted form of LDAP called LDAPS (port 636), which is run over TLS.

LDAP does not use embedded IP addresses and will work through a network address translation system without problems. However, LDAP servers may give out referrals, recommending that clients contact other servers, and those referrals may contain IP addresses. If you intend to place an LDAP server behind a network address translation system, you should be careful not to configure the server to make referrals that are impossible for clients to follow.