LDAP Port 389 vs Port 636
Quick Definition: LDAP port 389 is the default port for unencrypted LDAP communication, typically used for directory-related data exchange. In contrast, LDAP port 636 is the encrypted counterpart, ensuring secure transmission of data related to network accounts. It's generally recommended that port 636 is used for enhanced security.
LDAP (Lightweight Directory Access Protocol) Encryption may not be needed for internal network services with low-security risks. Instead, focusing on efficient data transfer without excessive computational overhead may be wiser. Whether or not encryption is necessary is an important consideration and consistently appears on the Network+ exam.
That’s why this article focuses on LDAP ports 389 vs 636, and how you can benefit from knowing the difference. First, let’s get into a common understanding of LDAP.
What is LDAP?
LDAP is a protocol used to manage and access directory information services. Often it is used for central authentication, user management, and storing hierarchical data like addresses in a network. The following section will walk through LDAP in more detail.
Lightweight Directory Access Protocol Explained
As an organization expands, managing a diverse workforce becomes increasingly difficult. For instance, an international organization may have five locations in two countries. Then, each location has several departments with a hundred employees, and after a while, it can become challenging to manage.
LDAP provides a structured, centralized location to manage all entities related to the organization predictably and hierarchically. LDAP is simply a protocol that organizes information in a way a directory service can understand. It is not software in and of itself. Therefore, do not think of it as a “technology.” Think of it as a way of organizing digital information.
While the hierarchy above is customizable to a certain extent, LDAP does require adherence to certain conventions to facilitate interoperability. For example, Distinguished Name (DN) is a necessary component of LDAP, which serves as a unique identifier for a person or device on the network. With that in mind, let’s talk about how LDAP is managed.
What Does It Mean to Manage Directory Services?
Managing a directory service means ensuring the LDAP hierarchy is created in a sensible, compelling manner that takes full advantage of LDAP’s capabilities.
LDAP plays a critical component in numerous functions within an organization. So, effective directory service management includes the following topics:
Access and Authentication: LDAP plays a role in validating credentials sent to the LDAP server. The username provided is verified against the Active Directory to ensure lawful access.
User Management: Creating, deleting, and modifying user accounts is necessary for directory services.
Integration: All devices on the network must be able to read the LDAP protocols as designed. For example, Outlook uses LDAP whenever someone searches for a user using “Address Book.” Part of effective management is ensuring that integration works seamlessly for the end user.
These are just three of the many responsibilities of a directory service manager. Now that we know the purpose of LDAP, let’s discuss how it works.
How Does LDAP Work?
LDAP works by sending standardized instructions from a client to an LDAP server. The goal is to access and interact with directory information. The client, such as a Microsoft Teams app, initiates a request.
For instance, searching for "John Doe." The LDAP server maintains a Directory Information Tree (DIT), which represents the hierarchy of entries. Each entry has a Distinguished Name (DN), like:
CN=John Doe,OU=Users,DC=example,DC=com.
This DN uniquely identifies the entry's location. The LDAP server traverses the DIT efficiently to locate the requested user and associated information. It's not just about organization; it's about accessing and retrieving data within a structured framework.
The following are the most common procedures LDAP uses:
Bind: verify the authenticity of a user against the LDAP server. For example, logging into the server at the start of your work day.
Search: Search for specific entries based on some criteria. This could be searching for a user in Skype for business or the Outlook Address book.
Add: Delete a user or roles to Active Directory
Modify: Change aspects of an entity on Active Directory
Delete: Delete a user from Active Directory
It is important to note here that Active Directory is one example of directory software. Others use LDAP, such as openLDAP, which will be discussed later.
Does LDAP Use TCP/IP?
Yes, LDAP uses TCP/IP, particularly if it is using the unencrypted port of 389. If LDAP is encrypted, then it uses TLS on port 636. Both TCP and TLS are the same thing; only TLS is secure, and the other is not.
What Ports are Assigned to LDAP?
Port 389 is the default LDAP port without encryption. Port 636 is the default encrypted LDAP port. It is important to note network engineers can change these ports if the need arises.
Standardizing ports enables interoperability, as it allows firewalls to be configured with conventional assumptions in mind. With that overview of LDAP, let’s dive into port 389.
What is LDAP Port 389?
LDAP port 389 is the default port used to listen for LDAP requests from clients. The “default port” refers to the server's port, which is listening for requests. The client, on the other hand, could have the port number dynamically allocated.
Why is Port 389 Also Called Clear Text?
Port 389 is called “Clear Text” because the data transmitted is plain text. Anyone can see the data passing with a packet sniffer since the data is unencrypted. “Clear Text” is to contrast port 636, which leverages encryption while sending data to the LDAP server.
When using LDAP, it is important to consider whether the data passed into the server is sensitive or not. For example, it is not recommended to send login information as Clear Text.
Is Port 389 Encrypted?
No, port 389 is not encrypted. The data is sent as Clear Text, and can be read by anyone with the nerve to do so. Any data that is considered sensitive, private, or confidential should be sent through encrypted means. In the next section, we’ll talk about how to enable LDAP on port 389.
How to Enable Port 389 in Active Directory
By default, port 389 is enabled on Active Directory. So, there isn’t anything to do in terms of configuration on AD itself. However, you may need to consider setting up firewall rules to allow data to flow through that port.
Also, be advised that this is totally unencrypted. Always keep security top of mind when setting up a new network. Speaking of security, now would be a good time to go over LDAP’s other default port — port 636.
What is LDAP Port 636?
Port 636 is the encrypted port for LDAP. All LDAP servers will utilize port 636 to receive encrypted data regarding accounts on the network. In almost all cases, encrypted transmission is the most effective method to reduce a hacker's attack vector and maintain security posture.
Why is Port 636 Also Called LDAP over SSL/TLS?
Port 636 is called LDAP over SSL/TLS because it uses TLS to create a secure, encrypted connection between the server and host.
LDAP operates on Layer 7 of the OSI model, so naturally, a protocol operates below it, which is TLS.
TLS stands for Transport Layer Security and operates on the Transport Layer of the OSI model. TLS uses a three-way handshake to verify a connection is established, and that the server is ready to receive data before transmission begins.
Is Port 636 Encrypted?
Port 636 is encrypted. The type of encryption can vary depending on the version of TLS, and the negotiation between the client and server.
Generally, it will use a symmetric encryption, which has a private key on both the server and the client for decryption.
How to Enable LDAP 636
Unlike port 389, enabling port 636 takes a little more time to establish. However, the benefits obtained from encrypting your server are incalculable.
Let’s review some basic steps needed to enable port 636 on your LDAP server.
Generate a certificate. This can be self-signed or signed by a certificate authority like Entrust. Then, install it on the LDAP server.
Install the certificate on the host machines.
Enable LDAPS in Active Directory. This can be done in the AD Group Policy Manager.
Restart the LDAP server. This will allow the certificate to take effect and begin secure LDAP transmission.
Configure your firewall. Verify your firewall allows traffic through port 636.
Lastly, it is a good idea to consult official documentation and engage with the vendor before undertaking network operations.
Technologies That Rely on LDAP 389 and LDAP 636
The technologies that rely on LDAP 389 and LDAP 636 are nearly endless. VPNs, APIs, databases, and IAM all rely on LDAP to function properly. However, the most integral technology to rely on LDAP is Active Directory.
In this section, we’ll walk through how AD leverages LDAP for effective user management.
Active Directory and LDAP
LDAP was first adopted in 1993 at the University of Michigan. Seven years later, Microsoft would create Active Directory and use LDAP as the core protocol to structure its directory tree.
Here are a couple of the many ways AD users LDAP:
User Authentication and Authorization: The host machine sends an LDAP query to AD to verify a user is who they say they are.
Group Policies: Group Policies are modified using LDAP. Organization Units, Distinguished Names, Class Objects, and more are used to identify who should have which roles in an organization. LDAP facilitates that organized hierarchy.
Single Sign-On (SSO): Active Directory's integration with LDAP enables Single Sign-On (SSO) solutions. Applications and services can use LDAP for user authentication. This allows users to access multiple resources with a single set of credentials.
It is important to understand that LDAP is not used exclusively with AD. Let’s look at some other directory solutions that leverage this protocol.
LDS, OpenLDAP, and Other Directory Services
Often, it can be cost-effective to use solutions other than Microsoft. For example, OpenLDAP is a versatile, cross-platform solution often used in Linux environments. It is open source, so it is free to use. It may have a bit of a learning curve if you are used to AD.
LDS, on the other hand, is a Microsoft product like AD. The main difference is that it is less complex and more suitable for small organizations. It focuses on directory services while excluding the more advanced features of AD. Now that we have discussed several directory services, let’s focus on the exact differences between port 636 and port 389.
LDAP Port 389 vs Port 636
Port 389 is used for unencrypted directory-related transmission, while port 636 is for encrypted transmissions. In most cases, using encrypted LDAP in lieu of Plain Text LDAP is beneficial.
Is Security Always a Concern in Directory Services Management?
Security is always a concern in directory service management. This is why there is really no reason to use unencrypted LDAP in a production environment. One exception could be if the network was internal and there was no access to a public network. Generally, the rule of thumb is to encrypt.
User authentication plays a central role in LDAP requests, and this data must be obfuscated while in flight.
Furthermore, hackers can use unencrypted directory information to craft targeted phishing attacks. The emails sent out will seem a lot more real if actual data is used to conceal the attacker’s true motives.
A breach in security can lead to attackers obtaining personal information about employers, such as their address, salary, next of kin, and more.
LDAP Over Public Networks Needs Encryption
Public networks are prone to getting hacked because a lot of insecure data is being transmitted over WiFi. If data packets are available over a public network, they must be encrypted.
Verify each client machine has a certificate in sync with the LDAP server’s certificate. Additionally, verify firewalls have the required ports open to receive secure LDAP traffic.
Security Vulnerabilities of LDAP 389 vs 636
The security liabilities for LDAP 389 stem from its unencrypted nature. Malicious actors can easily read the data whenever it is in transit.
LDAP port 636’s vulnerabilities typically stem from user error. For instance, an expired certificate can open a door to unauthorized access. Also, if an encryption mechanism becomes outdated, it is no better than unencrypted LDAP. While this situation is rare, it has been known to happen.
Lastly, it is critical to keep the encryption keys safe. If a hacker can download the encryption key, they can easily intercept and encrypt data.
Potential Conflicts and Overlaps with LDAP 389 vs 636
LDAP can use port 389 and 636, two distinct protocols with their own characteristics and possible conflicts. In both cases, it is possible to have port conflict if multiple applications are using the same LDAP protocol.
For example, two LDAP applications could be using port 389 simultaneously and cause a conflict. However, this can be mitigated by using dynamic ports. As long as the destination port is 389, the data source doesn’t matter.
Often, these issues can be mitigated with documentation, application segregation, and regular security audits.
By following best practices and maintaining good network hygiene, you can mitigate conflicts and overlaps, ensuring LDAP communication's smooth operation and security.
Conclusion
The most important thing to remember about LDAP is that it is just a way of structuring data. LDAP is not a software, but more like a language the server and client use to communicate when referencing directories.
Also, recall that there are two distinct ports for LDAP: port 636 and port 389. Both of these are must-knows for the Network+ exam. LDAP is a critical component of the modern-day IT landscape, and the more you understand it, the more you’ll understand about networking in general.
LDAP isn’t the only port you’ll need to know. Remember to check out the differences between port 443 and port 80 to learn more.
Not a CBT Nuggets subscriber? Sign up for a 7-day free trial now!
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.