1

Specifically, how does an LDAP server distinguish a TCP packet containing a SearchRequestOp from an authenticated user, from a TCP packet containing a SearchRequestOp from an unauthenticated user?

I understand how the BindRequest and BindResponse operations work but what I want to know is what in the TCP packet or LDAP PDU is used by the server to know that the SearchRequest is indeed coming from a client/channel which has already performed a successful BindRequest? And Is it something I can see in a Wireshark capture?

Tikiyetti
  • 113
  • 3

1 Answers1

0

LDAP is an application layer protocol. The security association done at LDAP level mainly is based on the TCP or TLS connection.

The TCP connection is recognized by the server just by client IP address / port which is not really secure. Hence you should use an encrypted channel via TLS which defends against active MITM attacks.

Michael Ströder
  • 974
  • 5
  • 9
  • Thank you for the reply. So...without TLS, is there anything that mitigates something like a spoofed-packet attack? What would happen if someone crafted a replica TCP packet using something like scapy and sent it to the LDAP server? – Tikiyetti Jun 11 '19 at 16:31
  • @Tikiyetti: that would be dependent on the vendor implementation. – Greg Askew Jun 11 '19 at 19:40