7.10 Communications Security

The Active Directory system relies on messages passed across the network between the client and the directory service. The system does not require this network to be fully trusted and allows for the possibility that a hostile party might be able to intercept such messages while they are in transit. In the Active Directory system, LDAP is designed to protect against two key attacks from such an attacker:

  • Eavesdropping on the messages to learn information to which the attacker is not intended to have access.

  • Altering the request or response messages to cause the directory service or client, respectively, to take action based on information supplied by the attacker.

To protect against these attacks, the system uses transport- and message-level security features to protect traffic between the clients and the directory service. Transport-level security protects the entire transport, effectively creating a protected "tunnel" between the client and directory service through which the messages are sent, protecting the confidentially and integrity of the messages sent over the tunnel. Message-level security encrypts and/or digitally signs each individual message to provide confidentially and integrity of the message, respectively.

The following table summarizes the security mechanisms used for LDAP and includes references to the relevant details.

Transport- and Message-Level Security Features

Protocol

Mechanisms

Reference

LDAP

Transport-level

Protection is provided by signing and encryption over a Secure Sockets Layer/Transport Layer Security (TLS) (SSL/TLS)-protected connection.

Section 5.1.2.2, Using SSL/TLS, of this document

Message-level

Protection is provided by signing and/or encryption using SASL.

Section 5.1.2.1, Using SASL, of this document

In addition to these mechanisms for protecting desirable traffic between the client and the server, LDAP also has mechanisms for rejecting undesirable traffic, that is, traffic that has been judged as potentially harmful to the directory service. The following table lists a summary of the mechanisms used for LDAP and a reference to further information. Note that these mechanisms are in addition to any access checks (section 7.9) that are performed by the protocol.

Additional Security Mechanisms

Protocol

Mechanisms

Reference

LDAP

LDAP Policies: establish limits on the size of the operations that a client can request.

Section 3.1.1.3.4.6, LDAP Policies, of this document

LDAP IP Deny List: provides a configurable list of IPv4 addresses from which the directory service will ignore requests.

Section 3.1.1.3.4.8, LDAP IP-Deny List, of this document