LDAP, RFC 4513 has some security issues. In any security model, we mitigate possible problems with layered technology. RFC: http://www.rfc-editor.org/rfc/rfc4513.txt PCI Compliance and LDAP Security: The best way to mitigate LDAP network issues, is through PCI compliance or isolated server network engineering, completing the model with VLAN or switch network isolation where possible packet interception might occur, since passwords and packets are sent either in clear text or encoded using Base64 encoding, which can be trivially intercepted. PCI Compliant Password Poiicy Mitigation: http://www.faqs.org/ftp/pub/internet-drafts/draft-behera-ldap-password-policy-09.txt Extract from the draft's abstract: "..In order to improve the security of LDAP directories and make it difficult for password cracking programs to break into directories, it is desirable to enforce a set of rules on password usage. These rules are made to ensure that users change their passwords periodically, passwords meet construction requirements, the re-use of old password is restricted, and users are locked out after a certain number of failed attempts." Network or "bottom up" OSI Security: With such a concentration of data in the directory, network security becomes very important. Anyone who could modify the data could give themselves access to vast numbers of machines at a stroke. Some data needs to be protected from unauthorized viewing: although all passwords are hashed, anyone who can read the hashes can mount a dictionary attack. Network Mitigation: The layer that, in the final analysis, protects LDAP from shared network based attacks, is layer 8 - Human Trust. I.E. no professional on your network is expected to be so ill-intentioned or fool hardy to mis-use trust. At some point - all of us are dangerous and unstoppable, it's expected we have bigger games to play than exploit trust? OSI Application Layer or Top Down: More subtly, anyone who can hijack a client-server connection can feed bogus data to an individual client, or use the client's privileges to modify server data. All these things can be protected against, and LDAP now has most of the tools needed to do it. Perl Mod Recommendations: http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/Security.pod J2EE: http://www.theserverside.com/tt/articles/article.tss?l=LDAP MSDN LDAP: http://msdn.microsoft.com/en-us/library/aa913688.aspx Exploits: Always check your VERSIONS and mitigate or patch any known issues! April 2008 Cisco ASA/PIX LDAP hole: http://www.cisco.com/en/US/products/products_security_advisory09186a0080833166.shtml Web Injection Attacks: http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml LDAP Server Information Disclosure Vulnerability: http://www.google.com/url?q=http://www.lifedork.com/ldapuserenum-active-directory-ldap-server-information-disclosure-vulnerability.html&sa=X&oi=revisions_result&resnum=1&ct=result&cd=1&usg=AFQjCNFKLxYW4m5tri9_rhSuDCvHAZPyTA PHP LDAP: http://www.securitytutorials3.thetazzone.com/owasp.html Hackin9 gives us examples: http://blog.security4all.be/2008/04/hakin9-magazine-3rd-edition-2008-ldap.html The proof is in the practice - Labs: Extracting hashes with crypt/John: http://marc.info/?l=john-users&m=120270251402411&w=2 Using John: http://www.openwall.com/lists/john-users/2005/09/17/1 Tools: http://www.crackserialkeygen.us/search/ldap+crack Disclaimer: At no time have we compared simple SMTP, SSH, HTTP auth or AD LDAP or mail password security, or analyzed any other security risks as comparisons. Intention is to educate. Each Nix user must understand the risks before implementing any protocol. LDAP can make your network more secure when properly implemented. www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | (503)754-4452 January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM _________________________________________________________________ It’s the same Hotmail®. If by “same” you mean up to 70% faster. http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad1_122008