2

I have been requested to expose a web service for managing Active Directory Users via an intranet. I have been advised that LDAP is viewed as a security vulnerability and is not to be used.

Given this constraint, I have managed to connect via ADSI with a DirectoryEntry object like this: 

DirectoryEntry de = new DirectoryEntry();
de.Path = "WinNT://TheDomain.local";
de.Username = "NTUser1";
de.Password = "pwdpwdpwd2";

I can loop through the children of this DirectoryEntry get the ones that are users. On the Users, I can see these basic properties: UserFlags, MaxStorage, PasswordAge, PasswordExpired, LoginHours, FullName, Description, BadPasswordAttempts, LastLogin, HomeDirectory, LoginScript, Profile, HomeDirDrive, Parameters, PrimaryGroupID, Name, MinPasswordLength, MaxPasswordAge, MinPasswordAge, PasswordHistoryLength, AutoUnlockInterval, LockoutObservationInterval, MaxBadPasswordsAllowed, objectSid.

There are a number of User properties that are visible in the Active Directory MMC that are not accessible from the DirectoryEntry object including: LastName, NameSuffix, Department, etc...

These other properties are all documented in msdn as being exposed by IADsUser (http://msdn.microsoft.com/en-us/library/aa746340%28VS.85%29.aspx).

1) Is LDAP actually a vulnerable protocol? More so than the ADSI (WinNT) connection shown above? LDAP seems to be pretty common for this purpose.

2) How can I retrieve/set these other properties of the User?

TIA

Travis Heseman
  • 11,359
  • 8
  • 37
  • 46
sympatric greg
  • 2,969
  • 2
  • 24
  • 29
  • Joel Kaplan (Co-author of "The .NET Developer's Guide to Directory Services Programming) explains that the WinNT provider simply doesn't expose a number of properties and describes 2 unsavory workarounds here: http://www.servernewsgroups.net/group/microsoft.public.windows.server.active_directory/topic19181.aspx (see his final post on the thread). So this explains the limitations of ADSI; does anyone want to weigh in on LDSI as vulnerable? – sympatric greg Sep 22 '09 at 05:58
  • Have you also been told **why** LDAP is considered a security vulnerability? – Paolo Tedesco Sep 22 '09 at 07:14
  • I have not received a satisfactory explaination, I am getting the info 2nd hand. I am skeptical, but this is an area I don't know much about. – sympatric greg Sep 22 '09 at 15:54
  • Seems like a lot of extra work to go down the path of rewriting what is already available in the existing tools. Why not look at delegated rights for different users or groups and just use the existing AD tools – benPearce Oct 12 '09 at 07:04

2 Answers2

3

1- LDAP packet transmission is performed as plaintext, so somebody can capture your data. If you use LDAPS protocol or TLS-enable your LDAP connection, it is safe. ADSI is just an implementation of LDAP client by Microsoft, and it supports both LDAP and LDAPS connections. When you use ADSI against your corporate Active Directory, it primarily tries to start a LDAPS connection. So you are safe of you use ADSI; or you can use any other client or programming library as well if you use secure connection. the default port for LDAPS is 636.

2- To get more information about directory objects, you can use the GetInfoEx method, it loads exactly the attributes you want. Below you can see an example: http://msdn.microsoft.com/en-us/library/aa746411%28v=vs.85%29.aspx

But some of the properties that you look for, are stored in the Active Directory by attribute names different from the MMC console. e.g. First name is stored as 'givenName' and Last name is stored as 'sn'. Look here to find names of attributes you need;

You can find more information here.

PyGuy
  • 434
  • 5
  • 15
  • Mind adding a few more details? While this could be a good answer, it lacks the info it needs to stand out. –  Oct 06 '13 at 06:52
  • I re-organized my answer and added more details. I with it could help you. – PyGuy Jun 04 '14 at 17:46
2

http://www.techgalaxy.net/Docs/Dev/Using_ADSI_and_LDAP_with_AD.htm explains the difference between LDAP and ADSI: http://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx includes illustrations.

In short, ADSI is a simplified wrapper around LDAP. If there's any insecurity to it, it's in the binding, which here appears to be SIMPLE (unencrypted plaintext username and password). If you bind the LDAP connection using any other method (or over an SSL connection), it should be secure.

Stuart P. Bentley
  • 10,195
  • 10
  • 55
  • 84
  • Note I wrote "any other method (or over an SSL connection)" back when I was young and naive about network security. You should do *all* your communication over untrusted links through TLS (ie. the SSL versions that aren't called SSL). – Stuart P. Bentley Jul 10 '15 at 21:05