LDAP and AD
Lightweight Directory Access Protocol
- What is AD?
- What is LDAP?
- How to query the LDAP.
- LDAP injections.
- Preventing LDAP injections.
1. What is AD?
Active Directory is a directory service implementation which will provide the servers like authentication, groups, user management, policy administration and more.
AD supports both LDAP and Kerberos protocols, and AD is not cross-platform. The Microsoft AD is the most popular directory services, and there are other implementations available too like Apache Directory Server, OpenLDAP and more. You can find the available active directory implementations here.
The AD supports three types of security authentications to provide access over the LDAP they are ANONYMOUS, SIMPLE and SASL.
2. What is LDAP?
LDAP (Lightweight Directory Access Protocol) is an open and cross-platform protocol. It used for directory services authentication. It is an application protocol by using this protocol applications can communicate with directory service servers. AD provides the SSO(Single SignOn) service integration to our applications with the help of LDAP protocol. Since AD is not cross-platform the LDAP helps to integrate AD with the different platform.
3. How to query LDAP?
i. (cn=Ram*) queries the entities where the common name starts with Ram. (* matches any character)
ii. (!(cn=*Mohan)) queries the entities where the common name does not end with Mohan. (! is logical NOT)
iii. (&(cn=R*)(cn=*Mohan)) queries the entities where the common name starts with R and ends with Mohan. (& is logical AND)
iv. (&(|(cn=R*)(cn=H*))(cn=*Krishna)) queries the entities where the common name starts with the letter R or with the letter H and ends with Krishna. (| is logical OR)
For more filters check the RFC-4515
4. LDAP injections
How the SQL injection works the same way LDAP injection also will work let see the example if you prepare a filter string to authenticate the user the expected filter looks like the below.
If you prepare the query with string concatenation it looks like the following
filterString = "(&(userID="+username+")(password="+password+"))";
The hacker can enter the username something like below and He can make the bypass the authentication.
The same way, The attacker can able to access the other information too from AD by passing the different attributes to the LDAP query.
5. Preventing LDAP injections
To prevent the LDAP injections we have to validate the input arguments which are participating in LDAP query. Even though it is difficult to prevent the attacker based on our application needs we have to sanitise the input arguments, some times we may need to accept special characters( (,),*, &, |) data as input ( for example we have to accept special characters for password) those scenarios we have to encrypt the input arguments in the application level so that we can prevent to pass the special characters as an input. for more to prevent the LDAP injections to check the OWASP cheatsheet.