Over the past 5 years, I have heard the conversation of how do we move our AD to the cloud. Oh the cloud, loud, mild, my child, it’s not as easy as you think. There are things in older environments that can tur some people’s feathers if it ever glitch or goes down. I once saw a IIS app stop working with ldap, the app was a proxy for the ceo to look at adult materials while at work…. he wasn’t happy when it said, “Username and password are incorrect.” I wrote about ADDS a while back, and it led to questions finally. How do I know what touches LDAP?
LDAP What is it?
First for the young kids in the room, talking to you Justin. LDAP is a lightweight directory access protocol. It’s an open vendor-neutral protocol designed to access and manage directory information. (Wow, that sounded professional). Basically, it lets you query and interact with things like AD. I have mainly used LDAP for VPN access. Meraki loves LDAP and its group policy-based VPN stuff.
So how does it work?
This is the normal 4-step LDAP process:
- Session Connection – Knocks on the door.
- Request – Asks for Justin’s distinguished name. We will call him Pastor Justin.
- Response – LDAP says, yeppers, we have him.
- Completion – The connection is made.
LDAP can do a lot more than just do connection requests. It can add, delete, search, compare, modify, etc. It’s most commonly used for searching. Things like VPNs really love LDAP.
LDAP lives on port 389. So, if you monitor that port, you should get some good traffic.
LDAPS!
LDAP with an s just means secure ldap. It uses ssl or tls to enrypt the data. It lives on port 363. LDAPS can be a challenge to setup with older tech. For example, as400….. That is some old green screen tech there. So, a lot of manufacturing doesn’t use ldaps. It also requires a directory server to establish trust. A lot of smaller companies just don’t have the resources for this. Finally, the over head of traffic on the network. In our area, most companies are ran by a Sir Justin and they just don’t want to dig into it.
HOWEVER, if you can, you should, if you are going to be continuing the use of ldap. With that said, how do you determine what is hitting your ldap server? What touches LDAP?
What touches LDAP
Ok, you know me, it’s time for PowerShell. Firstly, We need to establish which logs. The logs will give us what’s already happened. What’s going on and such. The problem with ldap, is names change, IPs change, mac addresses change. A lot happens.
Ldap Logs
Event Viewer → Applications and Services Logs → Directory Service
This is where you usually see the LDAP diagnostic events people talk about, especially:
- 2886: server is configured in a way that allows unsigned/simple LDAP binds and is warning you about it.
- 2887: summary count of how many unsigned LDAP binds happened since the last 24-hour reporting window.
- 2888: summary count of clients that would be rejected if LDAP signing were required.
- 2889: the useful one. It can show the client IP and the account identity used for an unsigned LDAP bind attempt, but only after you enable the 16 LDAP Interface Events diagnostic setting to at least Basic.
- 1644: logs certain LDAP queries, especially expensive, inefficient, or slow ones when diagnostic logging is enabled. Microsoft also notes this event is used for visibility into LDAP activities on domain controllers. AKA the machine behind the machine.
LDAPS logs are the same but you can look for the the security logs and system logs for tls.
Powershell
if you are like me, you hate digging for logs. This is why I like my powershells. They make life easier. Since 2889 is the one that will give us the most useful information, this PowerShell is for that log.
Function Get-LDAPUnsignedBindEvents {
[CmdletBinding()]
param (
[string[]]$ComputerName,
[int]$DaysBack = 7,
[System.Management.Automation.PSCredential]$Credential
)
$StartTime = (Get-Date).AddDays(-($DaysBack))
foreach ($Computer in $ComputerName) {
try {
$FilterHash = @{
LogName = 'Directory Service'
Id = 2889
StartTime = $StartTime
}
if ($PSBoundParameters.ContainsKey('Credential')) {
Get-WinEvent -ComputerName $Computer -Credential $Credential -FilterHashtable $FilterHash |
Select-Object MachineName, TimeCreated, Id, LevelDisplayName, Message
}
else {
Get-WinEvent -ComputerName $Computer -FilterHashtable $FilterHash |
Select-Object MachineName, TimeCreated, Id, LevelDisplayName, Message
}
}
catch {
Write-Warning "Unable to pull LDAP events from $Computer. $_"
}
}
}
Looking at the process
The other way to find what touches LDAP is by looking at the process itself. Here is the PowerShell for that.
Function Find-LDAPConnections {
[CmdletBinding()]
param (
[string[]]$ComputerName = $env:COMPUTERNAME,
[System.Management.Automation.PSCredential]$Credential
)
$Ports = 389,636,3268,3269
foreach ($Computer in $ComputerName) {
try {
$ScriptBlock = {
$Ports = 389,636,3268,3269
$Connections = Get-NetTCPConnection -State Established |
Where-Object {
$_.RemotePort -in $Ports -or $_.LocalPort -in $Ports
} |
Select-Object `
@{Name = 'ComputerName'; Expression = { $env:COMPUTERNAME } },
@{Name = 'Direction'; Expression = {
if ($_.RemotePort -in $Ports) { 'Outbound to LDAP' }
elseif ($_.LocalPort -in $Ports) { 'Inbound LDAP' }
else { 'Unknown' }
}},
State,
LocalAddress,
LocalPort,
RemoteAddress,
RemotePort,
OwningProcess,
@{Name = 'ProcessName'; Expression = {
try {
(Get-Process -Id $_.OwningProcess -ErrorAction Stop).ProcessName
}
catch {
'Unknown'
}
}}
$Connections | Sort-Object ProcessName, RemoteAddress, RemotePort
}
if ($Computer -eq $env:COMPUTERNAME) {
& $ScriptBlock
}
else {
if ($PSBoundParameters.ContainsKey('Credential')) {
Invoke-Command -ComputerName $Computer -Credential $Credential -ScriptBlock $ScriptBlock
}
else {
Invoke-Command -ComputerName $Computer -ScriptBlock $ScriptBlock
}
}
}
catch {
Write-Warning "Unable to capture LDAP connections from $Computer. $_"
}
}
}
Proxy
The next way to do is is setup a proxy before the ldap server to see what is hitting it. like a man in the middle. In terms of What touches LDAP, I think this is the best approach. here are hundreds of tutorials out there for that one.
- Use LDAP Proxy to integrate multiple LDAP servers – Service Manager
- OpenLDAP as proxy to AD – SambaWiki
Your Firewall
The next thing you can do is look into your firewall logs. look for the ports and marry it to other items.
What can we learn as a person
As we move forward with newer technologies, we have to adapt and adjust. In a world of fast-moving data and AI, things are changing faster than us humans can keep up. This scares people. Older products like LDAP slowly fade into oblivion, and it’s a race to keep up. This speed was going to happen whether we liked it or not. The number of humans who have been on this planet just keeps adding up. Our brains were not designed to keep up with it all. So sometimes, it’s best to target one thing and work on that one thing instead of 1000 things.
The next 15 years is going to be insane. Things will change every day. We will have leaders that will act out because of the chaos. The old ways will die, and if you can’t adapt, then you will fall into the death spiral. This is just history repeating itself. Each time it has happened, it’s gotten more extreme. When the wheel came about, the world changed; it was very small, but it grew. Those who didn’t use the wheel to plow their fields were outdone by those who had them. The chariots changed how we got from place to place. The written word allowed us to share knowledge. The printing press took the written word from a small handful of people to most of the world. The phone and steam engine changed how we connected ideas. The internet and computers gave us… so so much. The nuclear power gave us the ability to jump into something much greater. Each time we move, it’s always been, Power, Communication, and Transportation.
the world of AI
We are now entering a new phase. The last phase interconnected the world in a way that has never happened and created full cultures and markets that never existed before and closed a lot of smaller local items like mom-and-pop shops. It also gave everyone on earth access to It gave us the ability to travel across the world within a week. Now we are here with AI and electric cars. The only thing missing to push us forward is power. Power is also what is costing us the most right now. Within the next 15 years, we will see massive changes. It will take away from so many but give back to so many. when it’s said and done, we are still going to be around each other. It’s important to see each other as we are and not shame each other.