LDAP Tools

NetCraftsmen®

Overview

LDAP is an open standard application protocol that provides a directory structure for housing information.  It is most often seen in Microsoft Active Directory.  In that context, LDAP provides valuable information about users and computers within the domain.  Network security tools can use this valuable information to more granularly define end user privileges and monitoring.  Here are some common ways that LDAP is used in network security appliances.

  • Ironport Web Appliance uses LDAP queries to determine if an identity rule allows the end user to access a website.
  • Cisco NAC Appliance uses LDAP queries to determine the role a user should be added to based on the LDAP group they belong to.
  • Cisco ASA Dynamic Access Protocol(DAP) uses LDAP to determine the access a user should have.

It is important to be able to test existing LDAP functionality in order to successfully use the data within the network security appliances.  I have dealt with a number of different tools to gather the information.  I would like to present the tools I’ve used and then provide an example of the output that the different tools provide when searching on a particular computer and user.  The Active Directory structure that is used in the examples is shown below.

The user “cisco” will be used as an example.

The computer “WORKSTATION1” will be used as an example.

Tools

LDAPBrowser

This is a tool created by Softerra.  This is nice graphical view of the LDAP tree.  Use the following steps to get started.

1.     Download Softerra LDAP Browser

2.     Click “File > New Profile”

3.     Choose a name for the profile and click next

4.     Fill in the appropriate data.  The host is the IP address of the domain controller.  The base DN is the name of the domain.  In the example below the domain is lab.local.  This is designated as “dc=lab,dc=local”.

5.     Enter user credentials.  This can be just a normal user without any admin rights.

6.     Leave the next parameters at the default

7.     Now the LDAP tree structure should be shown.

LDAPSearch

LDAPsearch is the OpenLDAP tool that is used to search LDAP.  Many security appliances are using Linux on the backend and ldapsearch is normally one of the common utilities that is included.  This is true of the NAC Appliance.

1.     SSH into the Linux server that has ldapsearch installed.

2.     Enter an ldapsearch command to search for entries.  More information about the syntax can be found by typing “man ldapsearch”

[root@nacserver ~]# ldapsearch -x -LLL -h 10.1.1.110 -D cisco -w cisco -b “cn=computers,dc=lab,dc=local” -s sub “(cn=*)” | more

dn: CN=Computers,DC=lab,DC=local

objectClass: top

objectClass: container

cn: Computers

description: Default container for upgraded computer accounts

distinguishedName: CN=Computers,DC=lab,DC=local

instanceType: 4

whenCreated: 20101003142134.0Z

whenChanged: 20101003142134.0Z

uSNCreated: 4305

uSNChanged: 4305

showInAdvancedViewOnly: FALSE

name: Computers

objectGUID:: 7w8U3iljVkaBDSdfy6DgNw==

systemFlags: -1946157056

objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lab,DC=local

isCriticalSystemObject: TRUE

dn: CN=WORKSTATION1,CN=Computers,DC=lab,DC=local

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

objectClass: computer

cn: WORKSTATION1

distinguishedName: CN=WORKSTATION1,CN=Computers,DC=lab,DC=local

instanceType: 4

whenCreated: 20101003145430.0Z

whenChanged: 20101103092653.0Z

displayName: WORKSTATION1$

uSNCreated: 14016

uSNChanged: 33957

name: WORKSTATION1

objectGUID:: n0W/aswsX0unH0ztcZZ4Xw==

userAccountControl: 4096

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 0

lastLogoff: 0

lastLogon: 129347220433437500

localPolicyFlags: 0

pwdLastSet: 129332500133281250

primaryGroupID: 515

objectSid:: AQUAAAAAAAUVAAAAAdvbrYC+UGR9bSVqWwQAAA==

accountExpires: 9223372036854775807

logonCount: 8

sAMAccountName: WORKSTATION1$

sAMAccountType: 805306369

operatingSystem: Windows XP Professional

operatingSystemVersion: 5.1 (2600)

operatingSystemServicePack: Service Pack 2

dNSHostName: WORKSTATION1.lab.local

servicePrincipalName: HOST/WORKSTATION1

servicePrincipalName: HOST/WORKSTATION1.lab.local

objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=lab,DC=local

isCriticalSystemObject: FALSE

ADSI Edit

ADSI Edit is a tool that is included with the Microsoft Support Tools.    It is similar to the other Microsoft tool, called LDP.  Use the following steps to use it.

1.     Download ADSI Edit using the Microsoft support tools.  Different versions need to be downloaded based on the Microsoft OS that is used.  See the references for more details on the correct version to use

2.     Click “Start > Run…” and enter “adsiedit.msc”

3.     Click “Actions > Connect to…”

4.     Fill in the parameters pertaining to the domain controllers.  An example is shown below.

5.     View the LDAP tree

LDP

LDP is a tool that is included with the Microsoft Support Tools.    It is similar to the other Microsoft tool, called ADSI Edit.  Complete the following steps to use it.

1.     Download LDP using the Microsoft support tools.  Different versions need to be downloaded based on the Microsoft OS that is used.  See the references for more details on the correct version to use

2.     Open a cmd prompt and type “ldp”

3.     Click “Connect…” and define the domain controller to connect to.

4.     Click “Bind…” and add the credentials and domain to bind to based on the “Connect…” entry

5.     Click “View > Tree”

6.     Select the options based on the base domain and object class to view

7.     Navigate through the tree and view the appropriate entries

Discovering LDAP Information for Computer “Workstation1”

In this scenario, we are looking for details on the computer named Workstation1.  The screenshots below show the information that each of the tools displays.

LDAPBrowser

LDAPsearch

[root@nacserver ~]# ldapsearch -x -LLL -h 10.1.1.110 -D cisco -w cisco -b “cn=computers,dc=lab,dc=local” -s sub “(cn=WORKSTATION1)” | more

dn: CN=WORKSTATION1,CN=Computers,DC=lab,DC=local

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

objectClass: computer

cn: WORKSTATION1

distinguishedName: CN=WORKSTATION1,CN=Computers,DC=lab,DC=local

instanceType: 4

whenCreated: 20101003145430.0Z

whenChanged: 20101103092653.0Z

displayName: WORKSTATION1$

uSNCreated: 14016

uSNChanged: 33957

name: WORKSTATION1

objectGUID:: n0W/aswsX0unH0ztcZZ4Xw==

userAccountControl: 4096

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 0

lastLogoff: 0

lastLogon: 129347220433437500

localPolicyFlags: 0

pwdLastSet: 129332500133281250

primaryGroupID: 515

objectSid:: AQUAAAAAAAUVAAAAAdvbrYC+UGR9bSVqWwQAAA==

accountExpires: 9223372036854775807

logonCount: 8

sAMAccountName: WORKSTATION1$

sAMAccountType: 805306369

operatingSystem: Windows XP Professional

operatingSystemVersion: 5.1 (2600)

operatingSystemServicePack: Service Pack 2

dNSHostName: WORKSTATION1.lab.local

servicePrincipalName: HOST/WORKSTATION1

servicePrincipalName: HOST/WORKSTATION1.lab.local

objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=lab,DC=local

isCriticalSystemObject: FALSE

ADSIEdit

LDP

Discovering LDAP Information for User “Cisco”

LDAPBrowser

ldapsearch

[root@nacserver ~]# ldapsearch -x -LLL -h 10.1.1.110 -D cisco -w cisco -b “cn=users,dc=lab,dc=local” -s sub “(cn=cisco)” | more

dn: CN=cisco,CN=Users,DC=lab,DC=local

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn: cisco

userCertificate:: MIIF9DCCBNygAwIBAgIKHiqObQAAAAABWDANBgkqhkiG9w0BAQUFADBGMRUw

EwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNsYWIxGDAWBgNVBAMTD2xhYmNhL

W1pY3Jvc29mdDAeFw0xMDExMjAxOTUzNTdaFw0xMTExMjAxOTUzNTdaMGwxFTATBgoJkiaJk/IsZA

EZFgVsb2NhbDETMBEGCgmSJomT8ixkARkWA2xhYjEOMAwGA1UEAxMFVXNlcnMxDjAMBgNVBAMTBWN

pc2NvMR4wHAYJKoZIhvcNAQkBFg9jaXNjb0BsYWIubG9jYWwwXDANBgkqhkiG9w0BAQEFAANLADBI

AkEAyBIGJKI0LgIujpwOfcEN3zgqS/Wf4Wd+ar/VYeT3bn/FP5mpmyGCLDucORJuslyAfkISA1eNZ

QFB5Q1AvlVVyQIDAQABo4IDhDCCA4AwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBRDHCvB92uKxDDIXN

UxhCAFPabAvDA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiG8Nc0haaBeYP9lSGBwPIugtLrZIE

r5IZHg9WSOQIBZAIBAjAfBgNVHSMEGDAWgBTPn6N0xuBub6FU/lExsRcaCvo+sjCCAR8GA1UdHwSC

ARYwggESMIIBDqCCAQqgggEGhoG/bGRhcDovLy9DTj1sYWJjYS1taWNyb3NvZnQsQ049bGFiLWluZ

nJhc3RydWN0dXJlLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcy

xDTj1Db25maWd1cmF0aW9uLERDPWxhYixEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN

0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGQmh0dHA6Ly9sYWItaW5mcmFz

dHJ1Y3R1cmUubGFiLmxvY2FsL0NlcnRFbnJvbGwvbGFiY2EtbWljcm9zb2Z0LmNybDCCAS4GCCsGA

QUFBwEBBIIBIDCCARwwgawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj1sYWJjYS1taWNyb3NvZnQsQ0

49QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXR

pb24sREM9bGFiLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZp

Y2F0aW9uQXV0aG9yaXR5MGsGCCsGAQUFBzAChl9odHRwOi8vbGFiLWluZnJhc3RydWN0dXJlLmxhY

i5sb2NhbC9DZXJ0RW5yb2xsL2xhYi1pbmZyYXN0cnVjdHVyZS5sYWIubG9jYWxfbGFiY2EtbWljcm

9zb2Z0LmNydDApBgNVHSUEIjAgBgorBgEEAYI3FAICBggrBgEFBQcDAgYIKwYBBQUHAwQwNQYJKwY

BBAGCNxUKBCgwJjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMDsGA1UdEQQ0

MDKgHwYKKwYBBAGCNxQCA6ARDA9jaXNjb0BsYWIubG9jYWyBD2Npc2NvQGxhYi5sb2NhbDANBgkqh

kiG9w0BAQUFAAOCAQEAlnJeJbmoosc6E9gnM5kWiWAEW5kSnrt3BbXE4UazFGLeQYcjMwq/IQrXzo

mKMyloguVQuKrd7llcvG5KNC6JApB1qm5BeZ6RcjGwjoOTI1UzR2d4JhCm7CeaI8CNwiTxRgLJENz

Non5PLGrOIUDNMHCsg6EXgyQcMULMz9XZJbLr+e8typCK+kjMUuSQ3rP1kT4+jhpWGSnD5NCSAsaD

31rZkC4evzqzfrXiX8rWbI1+KoCjg1ioqY+P5AQr8fi7eLApQLRR6Fi7jG1RkyWp/rDtpMPB/vg3+

H6flML5G4QRLfLkeDXYpZs4egiLdzLqVFM+9ivc+IbqshLC9OWGgg==

givenName: cisco

distinguishedName: CN=cisco,CN=Users,DC=lab,DC=local

instanceType: 4

whenCreated: 20101031213342.0Z

whenChanged: 20101120200357.0Z

displayName: cisco

uSNCreated: 33665

uSNChanged: 41458

name: cisco

objectGUID:: ZpYR2s43XU+WJb6kvj3zdA==

userAccountControl: 66048

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 0

lastLogoff: 0

lastLogon: 129347569507031250

pwdLastSet: 129330344223125000

primaryGroupID: 513

objectSid:: AQUAAAAAAAUVAAAAAdvbrYC+UGR9bSVqYgQAAA==

accountExpires: 9223372036854775807

logonCount: 9

sAMAccountName: cisco

sAMAccountType: 805306368

userPrincipalName: cisco@lab.local

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local

mail: cisco@lab.local

userPrincipalName: cisco@lab.local

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local

ADSI Edit

LDP

References

Link Description
Cisco NAC Profiler Reference to ADSIEdit Guide on using ADSI Edit to configure the Cisco NAC Profiler for LDAP polling
Microsoft ADSI Edit Reference Reference on installing and using ADSI Edit
Microsoft Support Tools Description Microsoft site explaining the tools provided in the Microsoft Support Tools download package
Microsoft Support Tools Microsoft Download Site for Windows XP and Windows 2003 Support tools package including LDP, ADSI Edit, ktpass, and other tools.  These tools support Windows XP and Windows 2003 SP2
Microsoft Support Tools download site for Windows Vista and Windows 7 Support tools package including LDP, ADSI Edit and other tools for Windows Vista and Windows 7.  It is included by default on Windows 2008 domain controllers
Softerra LDAP Browser LDAP Browser
LDP Microsoft reference Microsoft reference on LDP
LDAPsearch man page OpenLDAP ldapsearch man page

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.