> For the complete documentation index, see [llms.txt](https://docs.0xrushi.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.0xrushi.xyz/protocols/ldap.md).

# LDAP

LDAP is the Lightweight Directory Access Protocol, a protocol for network devices to communicate with Directory Services. A Directory Service is a database containing information on all of your users, groups, and network devices

#### How does LDAP work?

LDAP works by making an information tree of resources on the network, just like directories on your computer. The root, which is the Directory Service, is called the Domain, and its children are called Organizational Units. Examples of Organizational Units are a Users folder, a Network Devices folder, or a Groups folder. The children of Organizational Units are called Common Names. Common Name examples are the users in the users folder, individual computers or network devices in the computer folder, and usergroups inside the group folder.

<figure><img src="/files/PxSUVIMgFqMMU3YQizYq" alt=""><figcaption></figcaption></figure>

#### Key LDAP Components

| Term                | Abbreviation | Meaning                                            |   |
| ------------------- | ------------ | -------------------------------------------------- | - |
| Domain Component    | `DC`         | Parts of the domain name (e.g. `DC=corp,DC=local`) |   |
| Organizational Unit | `OU`         | Folder/container grouping objects                  |   |
| Common Name         | `CN`         | The specific object (user, group, computer)        |   |
| Distinguished Name  | `DN`         | Full path to an object in the tree                 |   |

#### Example LDAP Query (Distinguished Name)

```shell
CN=John Smith,OU=Users,DC=corp,DC=local
```

This uniquely identifies John Smith's user object in the `corp.local` domain.

### Active Directory = LDAP (Microsoft Flavour)

Active Directory **is** Microsoft's proprietary implementation of LDAP. Key points:

* The **Domain Controller (DC)** acts as the LDAP server AND the Kerberos Key Distribution Center (KDC)
* AD stores all object attributes accessible via LDAP queries
* AD extends the standard LDAP schema with Microsoft-specific attributes (e.g. `userAccountControl`, `sAMAccountName`, `servicePrincipalName`)
* **Every domain-joined machine knows how to talk LDAP to a DC**

### LDAP Authentication Methods

#### 1. Simple Bind (Plaintext)

* Client sends `username + password` directly to the LDAP server
* **Vulnerable** to credential interception on the wire if not using TLS
* Port 389 without TLS = credentials in cleartext

#### 2. SASL / Kerberos Bind

* Uses Kerberos tickets for authentication
* The standard method in AD environments
* More secure — no password over the wire

#### 3. Anonymous Bind

* Connecting to LDAP **without any credentials**
* Often disabled in modern AD, but worth checking
* If enabled → massive information disclosure

Anonymous bind

```shell
ldapsearch -x -H ldap://DC_IP -b "DC=corp,DC=local"
```

### What is LDAP Signing?

LDAP Signing is a security feature that **cryptographically signs every LDAP message** between a client and the Domain Controller. This ensures:

* **Integrity** — the message hasn't been tampered with in transit
* **Authentication** — the message actually came from the claimed sender
* **Replay protection** — signed packets can't be captured and replayed

Without signing, an attacker sitting between a client and DC can **inject, modify, or replay LDAP requests** — which is the foundation of LDAP relay attacks.

#### LDAP Signing vs LDAPS — Critical Difference

Many people confuse these. They are **not the same thing**.

| Feature               | LDAP Signing                | LDAPS (LDAP over SSL/TLS)   |
| --------------------- | --------------------------- | --------------------------- |
| Port                  | 389                         | 636                         |
| What it does          | Signs packets for integrity | Encrypts the entire channel |
| Protects credentials? | No (just integrity)         | Yes (full encryption)       |
| Relay-resistant?      | **Yes** (when required)     | **Partially** — see below   |
| Required by default?  | No                          | No                          |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.0xrushi.xyz/protocols/ldap.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
