Networking Security

LDAP

Lightweight directory access protocol for centralized authentication, authorization, and network resource management

LDAP (Lightweight Directory Access Protocol)

  • Directory service protocol that provides centralized authentication and authorization for network resources
  • Operates on TCP port 389 (standard) or TCP port 636 (LDAPS with SSL/TLS encryption)
  • Based on client-server model where LDAP clients query LDAP servers (called Directory System Agents or DSAs)
  • Uses hierarchical tree structure called Directory Information Tree (DIT) to organize data

Core Functions

  • Authentication: Verifies user credentials against centralized directory
  • Authorization: Determines what resources authenticated users can access
  • Directory Services: Stores and retrieves information about users, groups, computers, and network resources
  • Single Sign-On (SSO): Allows users to authenticate once and access multiple network services

LDAP vs LDAPS Comparison

Protocol Port Security Use Case
LDAP 389 Plain text Internal networks, lab environments
LDAPS 636 SSL/TLS encrypted Production networks, secure communications

Distinguished Names (DN) Structure

  • Hierarchical naming convention that uniquely identifies each entry in directory
  • Example: cn=John Smith,ou=Users,dc=company,dc=com
    • cn = Common Name
    • ou = Organizational Unit
    • dc = Domain Component

Common LDAP Implementations

  • Microsoft Active Directory: Most common in enterprise Windows environments
  • OpenLDAP: Open-source implementation for Linux/Unix systems
  • Cisco LDAP: Used in network device authentication (ASA, ISE, wireless controllers)

Network Device Integration

Cisco Device LDAP Configuration Context

  • Configure LDAP servers for administrative authentication on routers, switches, firewalls
  • Typically used with AAA (Authentication, Authorization, Accounting) framework
  • Fallback authentication usually configured (local accounts as backup)
  • Example use case: Network engineers authenticate to switches using domain credentials instead of local passwords

AAA with LDAP Flow

  1. User attempts to access network device (SSH, console, web interface)
  2. Device queries LDAP server with user credentials
  3. LDAP server validates against directory database
  4. Server returns authentication result and user authorization attributes
  5. Device grants or denies access based on LDAP response

Vocabulary

Directory Information Tree (DIT): Hierarchical structure organizing LDAP directory entries, similar to file system directories

Bind Operation: LDAP authentication process where client provides credentials to server

Base DN: Starting point in directory tree for LDAP searches (e.g., dc=company,dc=com)

Schema: Defines what types of objects and attributes can be stored in LDAP directory

Referral: LDAP server’s response redirecting client to another server for information not locally available

Notes

  • Always use LDAPS (port 636) in production - plain LDAP transmits passwords in clear text
  • LDAP queries can impact network performance if directory is large or server is slow - consider local caching
  • When configuring LDAP on Cisco devices, test with known good account first before applying to all administrators
  • LDAP bind accounts (service accounts) should have minimal privileges - only need to read user authentication attributes
  • Consider LDAP server redundancy - configure multiple LDAP servers to prevent single point of failure for network access
  • Military/Government networks often require LDAP integration with PKI certificates for enhanced security posture