Manage Learn to apply best practices and optimize your operations.

LDAP signing requirements for various directory configurations

While there is no longer a standard directory configuration, it is still possible to implement LDAP signing in most environments. Learn more about LDAP signing requirements from IAM expert Randall Gamby.

How can I implement LDAP signing? Please also offer some background info on where LDAP is used and why.

Lightweight Directory Access Protocol (LDAP) is the last remaining remnant of the OSI layer 7 application layer from the 1980s. Unfortunately, it is also one of the least functional components.

In the early 1980's, with the open standard OSI X.500 directory came a query protocol, Directory Access Protocol (DAP). However, the dominant PCs of the day were x386-based PCs. These PCs had a requirement that no matter how much was on the server, applications had to run in 640 KB of convention in order for DOS to access them. DAP was larger than 640 KB, so a "lightweight" version of DAP was created: LDAP. In dumbing down DAP, certain extras were eliminated, including encrypted transfer, sorting, paged results and others.

Flash forward to today.

Every enterprise has proprietary enterprise directories. However, while the X.500 directory went the way of the dinosaur, LDAP has remained the only non-proprietary query protocol for these directories. LDAP is used to create queries to a number of disparate repositories but has never been expanded to include all the features that were stripped out of it (a few years ago there was an effort to update LDAP, the Lightweight Directory Update Protocol (LDUP), but it never caught on).

Since LDAP doesn't provide its own security, deployments usually use SSL between the client and the supplier repository to protect the data. When SSL is unavailable, or the data doesn't need to be encrypted, the data is sent using LDAP in clear text format. To ensure the information is complete and hasn't been tampered with when sent in clear text, the repository can "sign" the LDAP packet. By signing packets, the recipient's system can check the LDAP signature to ensure it arrived from the repository it was supposed to come from and that the content is only the original results (verified through a checksum).

Since directory standards no longer exist, each LDAP configuration is different (one of the hopes of the X.500 directory was to preclude this from happening by creating standardized configuration, replication, query and storage). Assuming a Microsoft deployment, there's a Microsoft article on how to configure LDAP signing for the repository and client. If you don't have a Microsoft system, you can still use the article as a guide for the general steps. Remember, there are no standard directory configurations anymore.

(Author's note: I worked on the original X.500, DAP, and LDAP specifications at the National Institute of Standards and Technology (NIST) in Washington D.C. and was sorry to see X.500 and DAP go.)

For more information:

This was last published in October 2009

Dig Deeper on Active Directory security