API Security

Lightweight Directory Access Protocol - LDAP

Lightweight Directory Access Protocol - LDAP

Designing a practicable application takes tons of effort and attention on various aspects. Ensuring secure and seamless communication between the application and client is one of them. Those who are involved in API development and API security must be well-aware of LDAP, an open-source protocol. Let’s explore its meaning and potential via this post.

Learning Objectives

What is the LDAP protocol and what is it used for?

A very familiar internet protocol for most of us, LDAP makes customer information queries possible. not acquainted with it much, or lack technical knowledge about the same? No problem. Learn more about this protocol in detail here.

About the Protocol 

LDAP means Lightweight Directory Access Protocol. Structurally, it’s the DAP Protocol that is lighter than the conventional one. It is well-known in the development industry as it delegates applications to gain direct access to customer-specific information and carries out vast authentication when applied.

As it’s an open-source aid, thousands of applications are backed by it. Speaking of its implementation scope, which is wider, public and private internet connections and various directory services are compatible with it.

Almost everything works well with LDAP. This is why the industry considers it the most preferred means for information access, modification, and authentication. 

Among all services related to Directory, LDAP has the highest compatibility with OpenLDAP and AD (Active Directory).

One can comprehend the worth of LDAP from the level of efforts one has to make to deal with abundant data while performing mundane yet crucial administrative workflows. Every day, employees will use data such as user-name, password, email, Wi-Fi password, and many more to perform assigned duties.

For easy entrance to all this information, the organization uses directories and stores common-use data in them. But, how will employees and directors communicate with each other?

This is where LDAP comes into play. With the help of this protocol, directories and employees can exchange information as the protocol maps out the required information and use it to authenticate the user identity, mostly with the SSO technique. Upon the permission-granting, employees will get the request data.

How it works?

Functionality-wise, LDAP makes servers exchange information like server response, data formatting, and requests shared by the client seamlessly with the AD service. 

To make this happen, LDAP binds the intended users with the server. Once a particular information access request arrives from a client’s side, the LDAP server comes into action and processes via the internal language. The user request is then forwarded to the directory services. 

After receiving the requests, directory services process them and forward the corresponding response to the client. Once this cycle is complete, LDAP separates clients and the server, permitting to client to fetch the request-response data.

Other than this, LDAP is extensively involved in the processing of SSSD or System Security Services Daemon. SSSD is a Linux-dedicated software making easy information access possible for various authority or identity-validation services. Native LDAP domains are crucial for SSSD configuration.

how ldap work
How LDAP work

LDAP data components

LDAP is made-up of many data components to become proficient enough to perform assigned tasks. Understanding these LDAP data components brings ease in its utilization.

Attributes

Being the primary data storage format for LDAP, attributes are likely to exist in huge numbers. Each attribute has a distinct type specified, defining the rules for the ‘talks between the end-user and directory servers. Alongside the data saved, the accessed data on the client-side might also be kept as attributes. 

Entries  

This LDAP data component concerns user/item identity and lists corresponding attributes under a specific name for later validation. LDAP Attributes can’t exist without an entry as entry makes full utilization of an attribute possible. 

Data Information Tree

LDAP saves all the data using linked attributes and shows only a fraction of total information. Rest of it is accessible only via entry replacement. All this information becomes the branch of DIT. Using DIT, excess information is stored and managed easily. 

Schemas 

This data component is a construct linked with ObjectClasses. Attribute definitions are part of it. Schemas can exist in huge quantities in DIT. It is mainly useful in creating entries & attributes.

Operation Types

LDAP follows specific operation types while working. Below is a quick overview of those LDAP operation types.

  • Bind (Authentication)

When communication begins upon the activation of LDAP server, its session value is unknown. So, this operation comes forwards and validates it and revises accordingly. It typically takes place via simple or SASL authority-validation procedure.

  • Add

It updates new (unique) entries. This data is stored in the directory-server databases (DBs). In case a pre-existing name is re-entered, the LDAP server will deny it and show an alert message.

  • Unbind

As the name suggests, unbind operation will end the server-customer connection, built by LDAP. Even though connection discontinuation will automatically perform this action, using unbind operation is recommended as it sets the resources, linked with ended operations, free.

  • Search & Compare

Making use of this operation, simplifies it for LDAP clients to find a particular record and match/cpmpare with other values. Data search is possible using filters like name, attribute, size, and type. 

  • Modify

Information editing is done using this operation. The permitted editing types are - Appending of new content to an entry and eliminating/overwriting pre-existing data.

  • Delete

Entries that are no longer required can be eliminated easily using the delete LDAP operation. However, deletion won’t start until the server receives a complete delete request, featuring details like entry name and request control.

LDAP authentication Types

  • Simple Authentication

It uses 3 mechanisms: 

  1. Anonymous: It facilitates end-users to figure out the hidden status details.
  2. Unauthenticated: It is useful for authentication of login process/details. 
  3. Credential-based: It uses name and password for authority verification.
  • SASL Authentication

It links LDAP servers with various other authentication actions in client message forwarding procedure. This commences an ongoing series of the response message. 

The series will either feature a passed/successful or failed LDAP authentication type. All these messages will be shared in clear text format by default. Hence, stringent security measures must be enforced so that the stored information is not accessed by unauthorized users. 

Using both types, LDAP protocol manages to offer only standard security via a pre-built access management layer. Also, the default LDAP port, which is Port 389, lacks in-built security. As authentication is not top-notch, skilled hackers can easily break in and steal crucial information.

For improved LDAP security, adding SSL/TLS encryption is highly suggested. Also, the use of advanced security extensions such as LDAPv3 TLS extension or StartTLS mode makes the connection a bit stronger. 

LDAP authentication
LDAP authentication

Active directory vs LDAP 

AD is the industry’s well-known directory service that is used to manage and store the communal resources of an organization. Most commonly, AD manages shared resources like user data, servers, and domain names. 

Offered by Microsoft, AD empowers organizations with abilities like user/group management, authentication, and policy creation/control. 

As AD and LDAP share great similarities, it’s obvious to consider these two as the same thing. But, they are not. Let’s talk about LDAP Vs AD.

  • AD is a directory server while LDAP is a software language. AD may or may not use LDAP to accomplish its job of ensuring user authentication, management, and grouping. 
  • LDAP is a cross-platform resource that can be used by many active directories like eDirectory, Active Directory, OpenDS, IBM Tivoli Directory, Apple Open Directory, Red Hat Directory, and many more. AD, on the other hand, is not platform-friendly and would be needing access management software for accessing user information from the various platforms. 
  • They both can co-exist so that the organization/client can access any kind of user information and execute crucial tasks. 

LDAP vs. SAML

While one tries to gain a deeper understanding of LDAP, understanding the difference between LDAP and SAML is also very crucial. They both are remote authentication protocols and are highly secured. Hence, both are good choices to make.

The most prominent difference maker here is the origin process. LDAP came into being during the early 90’s era when there was no sign of SaaS and public cloud. People didn’t even know that a remote workforce would become a thing. 

SAML took birth in the early 2000s with the main aim of merging the web application identities. Before becoming SAML, it was XML and can be used as HTTPS. Because of its multiple identities, it doesn’t require the help of StartTLS or LDAP to perform its actions.

If one tries to implement MFA on SAML then there is no need to take a diversion from the protocol specifications. Generally, this is a crucial step to take as it will allow an LDAP connection to be built as LDAP is not MFA-friendly. Because of this reason, SAML is preferred over LDAP.

Risks of LDAP

Even though LDAP is famous and highly flexible, it’s not flawless and comes with certain risks. If not addressed early and properly, these LDAP risks can cause serious issues from an API standpoint. The most concern-worthy risk is the occurrence of LDAP injection that happens because of LDAP’s ability to build a connection with private resources.

LDAP injection is a cyberattack type that involves injecting malicious code via a web app so that crucial LDAP directory information/data can be accessed. 

The damage-causing code generally features LDAP metacharacters that are able to alter the verified requests made by LDAP users. 

If successful, an LDAP attack can lead to unauthorized user access, data breach, account hijacking, and privilege escalation. The severity of the damage varies as per the data impacted. Some time back, attackers exploited systems using the vulnerability Log4j. LDAP was used for this purpose.

One must understand that LDAP injection attacks can only take place when LDAP servers are not paying attention to the rightfulness of processes LDAP requests. This leaves scope for threat actors. 

How to protect LDAP

As LDAP is not risk-free, one must learn the viable ways to secure LDAP and keep those risks at bay. The most functional and acceptable ways for LDAP security areas are mentioned next.

  • With server-side input validation, it’s easy to ensure that all the inputs are validated. The validation happens against allowed strings and characters. 
  • Using user-controlled input strings escapism mechanism is an effective LDAP securing strategy as it processes converting damage-causing inputs as a string value in place of LDAP predicates. Hence, the possibilities of LDAP risks remain on the lower side. 
  • Implementation of the Principle of Least Privilege strategy leads to LDAP account security. This way, when LDAP is involved in directory binding, LDAP queries the process only when authorization is complete. 
API and LDAP authentication
API and LDAP authentication

Protection with Wallarm

Wallarm is a trusted name in the web, microservice, and API security domain as the platform offers assorted security solutions. Cloud WAF, a laudable offering of Wallarm, is a responsive and feature-rich cloud-native WAF that can keep known and unknown cyber vulnerabilities at bay.

An easy-to-use tool, Wallarm Cloud WAF works almost every API type with a minor DNS setting change. With automated tuning, it manages to proffer nearly zero false positives. Its activation can keep out tons of cyber dangers such as LDAP injection, OWASP Top 10 threats, account takeover, API abuse, and so on. 

As the tool is backed with the most promising prevention techniques such as no RegExps and bypass resistance, one is bound to experience top-notch LDAP security. With its automated functions, API security experts have nothing to worry about.

Subscribe for the latest news