Q

LDAP signing requirements for various directory configurations

While there is no longer a standard directory configuration, it is still possible to implement LDAP signing in most environments. Learn more about LDAP signing requirements from IAM expert Randall Gamby.

How can I implement LDAP signing? Please also offer some background info on where LDAP is used and why.

Lightweight Directory Access Protocol (LDAP) is the last remaining remnant of the OSI layer 7 application layer

from the 1980s. Unfortunately, it is also one of the least functional components.

In the early 1980's, with the open standard OSI X.500 directory came a query protocol, Directory Access Protocol (DAP). However, the dominant PCs of the day were x386-based PCs. These PCs had a requirement that no matter how much memory was on the server, applications had to run in 640 KB of convention memory in order for DOS to access them. DAP was larger than 640 KB, so a "lightweight" version of DAP was created: LDAP. In dumbing down DAP, certain extras were eliminated, including encrypted transfer, sorting, paged results and others.

Flash forward to today.

Every enterprise has proprietary enterprise directories. However, while the X.500 directory went the way of the dinosaur, LDAP has remained the only non-proprietary query protocol for these directories. LDAP is used to create queries to a number of disparate repositories but has never been expanded to include all the features that were stripped out of it (a few years ago there was an effort to update LDAP, the Lightweight Directory Update Protocol (LDUP), but it never caught on).

Since LDAP doesn't provide its own security, deployments usually use SSL between the client and the supplier repository to protect the data. When SSL is unavailable, or the data doesn't need to be encrypted, the data is sent using LDAP in clear text format. To ensure the information is complete and hasn't been tampered with when sent in clear text, the repository can "sign" the LDAP packet. By signing packets, the recipient's system can check the LDAP signature to ensure it arrived from the repository it was supposed to come from and that the content is only the original results (verified through a checksum).

Since directory standards no longer exist, each LDAP configuration is different (one of the hopes of the X.500 directory was to preclude this from happening by creating standardized configuration, replication, query and storage). Assuming a Microsoft deployment, there's a Microsoft article on how to configure LDAP signing for the repository and client. If you don't have a Microsoft system, you can still use the article as a guide for the general steps. Remember, there are no standard directory configurations anymore.

(Author's note: I worked on the original X.500, DAP, and LDAP specifications at the National Institute of Standards and Technology (NIST) in Washington D.C. and was sorry to see X.500 and DAP go.)

For more information:

This was first published in October 2009

Dig deeper on Active Directory and LDAP Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close