LDAP

Last updated 1 year ago

LDAP

Authentication

Bind operations are used to authenticate clients to the directory server.

Active Directory supports simple, SASL and Sicily authentication mechanisms.

When an application binds to an object in the directory, the access privileges that the application has to that object are based on the user context specified during the bind operation. For the binding functions and methods ADsGetObject, ADsOpenObject, GetObject, IADsOpenDSObject::OpenDSObject, an application can implicitly use the credentials of the caller, explicitly specify the credentials of a user account, or use an unauthenticated user context (Guest).

Simple Bind

Anonymous Authentication

The legitimate use case for this is LDAP configuration discovery.

Anonymous authentication allows anyone to fetch the root of a directory server information tree, by the Get-ADRootDSE PowerShell command for example.

rootDSE is Defined as the root of the directory data tree on a directory server and provides data about the directory server.

If fLDAPBlockAnonOps is false, anonymous users can perform any LDAP operation, subject to access checks that use the ACL mechanisms described in this section. Refer to [MS-ADTS] - Authorization.

Microsoft Learn - AD Schema RFC 4513 - Anonymous Authentication Microsoft Learn - Get-ADRootDSE Devolutions - Why Active Directory LDAP Unauthenticated Binds Should Be Disabled, and How to Disable It

Unauthenticated Authentication

It is possible to disable LDAP unauthenticated binds starting from Windows server 2019.

Many servers require that if an empty password is provided then an empty DN must also be given now.

SASL Authentication

Simple authentication and security layer. SASL can use other security layer frameworks like Kerberos for authentication.

Searching in AD

Searching in AD is a matter of

finding a Domain Controller (DC),
binding to the object where the search should begin in the directory,
submitting a query, and
processing the results.

Binding

In Active Directory Domain Services, the act of associating a programmatic object with a specific Active Directory Domain Services object is known as binding.

Name in Bind Request

Active Directory accepts several forms of name in the name field of the BindRequest.

The DN of the object
The user principal name (UPN) of the object.
- A value of the userPrincipalName attribute or
- The value of the sAMAccountName attribute + @ +
  - The DNS name of a domain in the same forest as the object or
  - A value in the uPNSuffixes attribute of the Partitions container in the config NC replica.
The NetBIOS domain name, followed by a backslash (""), followed by the value of the sAMAccountName attribute
The canonical name of the object.
The value of the objectGUID attribute
The value of the displayName attribute
A value of the servicePrincipalName attribute
A value V that, when the MapSPN(V, M) algorithm of [MS-DRSR] section 4.1.4.2.19 is applied to it, corresponds to a value of the servicePrincipalName attribute of the object. M is the value of the sPNMappings attribute of the nTDSService object.
The value of the objectSid attribute
A value from the sIDHistory attribute
The canonical name of the object in which the rightmost forward slash (/) is replaced with a newline character (\n).

If the name field of the BindRequest maps to a single object using the attempted name form, the password on that object is checked.

APIs

The method for programmatically binding to an Active Directory object will depend on the programming technology that is used.

Programming technology

For more information

ADSI

Active Directory Service Interfaces (ADSI) is a set of COM interfaces used to access the features of directory services from different network providers.

Services can publish themselves in a directory, clients can use the directory to find the services, and both can use the directory to find and manipulate other objects of interest.

Microsoft Learn - Active Directory Service Interfaces

LDAP

LDAP is the only system-supplied Active Directory Service Interfaces (ADSI) provider that supports directory searching.

System.DirectoryServices

Authorization

Active Directory provides access control, the mechanisms LDAP security model does not include, in the form of access control lists (ACLs) on directory objects.

Anonymous User

If the fLDAPBlockAnonOps heuristic of the dSHeuristics attribute (see section 6.1.1.2.4.1.2) is true, anonymous (unauthenticated) users are limited to performing rootDSE searches and binds. If fLDAPBlockAnonOps is false, anonymous users can perform any LDAP operation, subject to access checks that use the ACL mechanisms.

Tools

ldapsearch

Here we use ldapsearch with anonymous authentication to fetch the roo. of a directory server information tree.

$ ldapsearch -H ldap://<IP> -x -s base -b ''

C#

Build LDAP filter to look for users with SPN values registered for current domain.

$ldapFilter = "(&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.PageSize = 1000
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"

$results = $search.FindAll()

$Results = foreach ($result in $results)
{
	$result_entry = $result.GetDirectoryEntry()
 
	$result_entry | Select-Object @{
		Name = "Username";  Expression = { $_.sAMAccountName }
	}, @{
		Name = "SPN"; Expression = { $_.servicePrincipalName | Select-Object -First 1 }
	}
}
 
$Results

Netwrix - Use DirectorySearcher to get account with SPN Microsoft Learn - DirectorySearcher Class

Usage

Third-party Service

Third-party applications that integrate with AD usually use LDAP to authenticate users.

These services often store their AD credential in plain text in configuration files.

Reference

Netwrix - LDAP Reconnaissance

PreviousDomain Service NextAD Objects

Last updated 1 year ago