Overview
LDAP is an open standard application protocol that provides a directory structure for housing information. It is most often seen in Microsoft Active Directory. In that context, LDAP provides valuable information about users and computers within the domain. Network security tools can use this valuable information to more granularly define end user privileges and monitoring. Here are some common ways that LDAP is used in network security appliances.
- Ironport Web Appliance uses LDAP queries to determine if an identity rule allows the end user to access a website.
- Cisco NAC Appliance uses LDAP queries to determine the role a user should be added to based on the LDAP group they belong to.
- Cisco ASA Dynamic Access Protocol(DAP) uses LDAP to determine the access a user should have.
It is important to be able to test existing LDAP functionality in order to successfully use the data within the network security appliances. I have dealt with a number of different tools to gather the information. I would like to present the tools I’ve used and then provide an example of the output that the different tools provide when searching on a particular computer and user. The Active Directory structure that is used in the examples is shown below.
The user “cisco” will be used as an example.
The computer “WORKSTATION1” will be used as an example.
Tools
LDAPBrowser
This is a tool created by Softerra. This is nice graphical view of the LDAP tree. Use the following steps to get started.
1. Download Softerra LDAP Browser
2. Click “File > New Profile”
3. Choose a name for the profile and click next
4. Fill in the appropriate data. The host is the IP address of the domain controller. The base DN is the name of the domain. In the example below the domain is lab.local. This is designated as “dc=lab,dc=local”.
5. Enter user credentials. This can be just a normal user without any admin rights.
6. Leave the next parameters at the default
7. Now the LDAP tree structure should be shown.
LDAPSearch
LDAPsearch is the OpenLDAP tool that is used to search LDAP. Many security appliances are using Linux on the backend and ldapsearch is normally one of the common utilities that is included. This is true of the NAC Appliance.
1. SSH into the Linux server that has ldapsearch installed.
2. Enter an ldapsearch command to search for entries. More information about the syntax can be found by typing “man ldapsearch”
[root@nacserver ~]# ldapsearch -x -LLL -h 10.1.1.110 -D cisco -w cisco -b “cn=computers,dc=lab,dc=local” -s sub “(cn=*)” | more
dn: CN=Computers,DC=lab,DC=local objectClass: top objectClass: container cn: Computers description: Default container for upgraded computer accounts distinguishedName: CN=Computers,DC=lab,DC=local instanceType: 4 whenCreated: 20101003142134.0Z whenChanged: 20101003142134.0Z uSNCreated: 4305 uSNChanged: 4305 showInAdvancedViewOnly: FALSE name: Computers objectGUID:: 7w8U3iljVkaBDSdfy6DgNw== systemFlags: -1946157056 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lab,DC=local isCriticalSystemObject: TRUE dn: CN=WORKSTATION1,CN=Computers,DC=lab,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: WORKSTATION1 distinguishedName: CN=WORKSTATION1,CN=Computers,DC=lab,DC=local instanceType: 4 whenCreated: 20101003145430.0Z whenChanged: 20101103092653.0Z displayName: WORKSTATION1$ uSNCreated: 14016 uSNChanged: 33957 name: WORKSTATION1 objectGUID:: n0W/aswsX0unH0ztcZZ4Xw== userAccountControl: 4096 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 129347220433437500 localPolicyFlags: 0 pwdLastSet: 129332500133281250 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAAAdvbrYC+UGR9bSVqWwQAAA== accountExpires: 9223372036854775807 logonCount: 8 sAMAccountName: WORKSTATION1$ sAMAccountType: 805306369 operatingSystem: Windows XP Professional operatingSystemVersion: 5.1 (2600) operatingSystemServicePack: Service Pack 2 dNSHostName: WORKSTATION1.lab.local servicePrincipalName: HOST/WORKSTATION1 servicePrincipalName: HOST/WORKSTATION1.lab.local objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=lab,DC=local isCriticalSystemObject: FALSE |
ADSI Edit
ADSI Edit is a tool that is included with the Microsoft Support Tools. It is similar to the other Microsoft tool, called LDP. Use the following steps to use it.
1. Download ADSI Edit using the Microsoft support tools. Different versions need to be downloaded based on the Microsoft OS that is used. See the references for more details on the correct version to use
2. Click “Start > Run…” and enter “adsiedit.msc”
3. Click “Actions > Connect to…”
4. Fill in the parameters pertaining to the domain controllers. An example is shown below.
5. View the LDAP tree
LDP
LDP is a tool that is included with the Microsoft Support Tools. It is similar to the other Microsoft tool, called ADSI Edit. Complete the following steps to use it.
1. Download LDP using the Microsoft support tools. Different versions need to be downloaded based on the Microsoft OS that is used. See the references for more details on the correct version to use
2. Open a cmd prompt and type “ldp”
3. Click “Connect…” and define the domain controller to connect to.
4. Click “Bind…” and add the credentials and domain to bind to based on the “Connect…” entry
5. Click “View > Tree”
6. Select the options based on the base domain and object class to view
7. Navigate through the tree and view the appropriate entries
Discovering LDAP Information for Computer “Workstation1”
In this scenario, we are looking for details on the computer named Workstation1. The screenshots below show the information that each of the tools displays.
LDAPBrowser
LDAPsearch
[root@nacserver ~]# ldapsearch -x -LLL -h 10.1.1.110 -D cisco -w cisco -b “cn=computers,dc=lab,dc=local” -s sub “(cn=WORKSTATION1)” | more
dn: CN=WORKSTATION1,CN=Computers,DC=lab,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: WORKSTATION1 distinguishedName: CN=WORKSTATION1,CN=Computers,DC=lab,DC=local instanceType: 4 whenCreated: 20101003145430.0Z whenChanged: 20101103092653.0Z displayName: WORKSTATION1$ uSNCreated: 14016 uSNChanged: 33957 name: WORKSTATION1 objectGUID:: n0W/aswsX0unH0ztcZZ4Xw== userAccountControl: 4096 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 129347220433437500 localPolicyFlags: 0 pwdLastSet: 129332500133281250 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAAAdvbrYC+UGR9bSVqWwQAAA== accountExpires: 9223372036854775807 logonCount: 8 sAMAccountName: WORKSTATION1$ sAMAccountType: 805306369 operatingSystem: Windows XP Professional operatingSystemVersion: 5.1 (2600) operatingSystemServicePack: Service Pack 2 dNSHostName: WORKSTATION1.lab.local servicePrincipalName: HOST/WORKSTATION1 servicePrincipalName: HOST/WORKSTATION1.lab.local objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=lab,DC=local isCriticalSystemObject: FALSE |
ADSIEdit
LDP
Discovering LDAP Information for User “Cisco”
LDAPBrowser
ldapsearch
[root@nacserver ~]# ldapsearch -x -LLL -h 10.1.1.110 -D cisco -w cisco -b “cn=users,dc=lab,dc=local” -s sub “(cn=cisco)” | more
dn: CN=cisco,CN=Users,DC=lab,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: cisco userCertificate:: MIIF9DCCBNygAwIBAgIKHiqObQAAAAABWDANBgkqhkiG9w0BAQUFADBGMRUw EwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNsYWIxGDAWBgNVBAMTD2xhYmNhL W1pY3Jvc29mdDAeFw0xMDExMjAxOTUzNTdaFw0xMTExMjAxOTUzNTdaMGwxFTATBgoJkiaJk/IsZA EZFgVsb2NhbDETMBEGCgmSJomT8ixkARkWA2xhYjEOMAwGA1UEAxMFVXNlcnMxDjAMBgNVBAMTBWN pc2NvMR4wHAYJKoZIhvcNAQkBFg9jaXNjb0BsYWIubG9jYWwwXDANBgkqhkiG9w0BAQEFAANLADBI AkEAyBIGJKI0LgIujpwOfcEN3zgqS/Wf4Wd+ar/VYeT3bn/FP5mpmyGCLDucORJuslyAfkISA1eNZ QFB5Q1AvlVVyQIDAQABo4IDhDCCA4AwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBRDHCvB92uKxDDIXN UxhCAFPabAvDA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiG8Nc0haaBeYP9lSGBwPIugtLrZIE r5IZHg9WSOQIBZAIBAjAfBgNVHSMEGDAWgBTPn6N0xuBub6FU/lExsRcaCvo+sjCCAR8GA1UdHwSC ARYwggESMIIBDqCCAQqgggEGhoG/bGRhcDovLy9DTj1sYWJjYS1taWNyb3NvZnQsQ049bGFiLWluZ nJhc3RydWN0dXJlLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcy xDTj1Db25maWd1cmF0aW9uLERDPWxhYixEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN 0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGQmh0dHA6Ly9sYWItaW5mcmFz dHJ1Y3R1cmUubGFiLmxvY2FsL0NlcnRFbnJvbGwvbGFiY2EtbWljcm9zb2Z0LmNybDCCAS4GCCsGA QUFBwEBBIIBIDCCARwwgawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj1sYWJjYS1taWNyb3NvZnQsQ0 49QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXR pb24sREM9bGFiLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZp Y2F0aW9uQXV0aG9yaXR5MGsGCCsGAQUFBzAChl9odHRwOi8vbGFiLWluZnJhc3RydWN0dXJlLmxhY i5sb2NhbC9DZXJ0RW5yb2xsL2xhYi1pbmZyYXN0cnVjdHVyZS5sYWIubG9jYWxfbGFiY2EtbWljcm 9zb2Z0LmNydDApBgNVHSUEIjAgBgorBgEEAYI3FAICBggrBgEFBQcDAgYIKwYBBQUHAwQwNQYJKwY BBAGCNxUKBCgwJjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMDsGA1UdEQQ0 MDKgHwYKKwYBBAGCNxQCA6ARDA9jaXNjb0BsYWIubG9jYWyBD2Npc2NvQGxhYi5sb2NhbDANBgkqh kiG9w0BAQUFAAOCAQEAlnJeJbmoosc6E9gnM5kWiWAEW5kSnrt3BbXE4UazFGLeQYcjMwq/IQrXzo mKMyloguVQuKrd7llcvG5KNC6JApB1qm5BeZ6RcjGwjoOTI1UzR2d4JhCm7CeaI8CNwiTxRgLJENz Non5PLGrOIUDNMHCsg6EXgyQcMULMz9XZJbLr+e8typCK+kjMUuSQ3rP1kT4+jhpWGSnD5NCSAsaD 31rZkC4evzqzfrXiX8rWbI1+KoCjg1ioqY+P5AQr8fi7eLApQLRR6Fi7jG1RkyWp/rDtpMPB/vg3+ H6flML5G4QRLfLkeDXYpZs4egiLdzLqVFM+9ivc+IbqshLC9OWGgg== givenName: cisco distinguishedName: CN=cisco,CN=Users,DC=lab,DC=local instanceType: 4 whenCreated: 20101031213342.0Z whenChanged: 20101120200357.0Z displayName: cisco uSNCreated: 33665 uSNChanged: 41458 name: cisco objectGUID:: ZpYR2s43XU+WJb6kvj3zdA== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 129347569507031250 pwdLastSet: 129330344223125000 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAAdvbrYC+UGR9bSVqYgQAAA== accountExpires: 9223372036854775807 logonCount: 9 sAMAccountName: cisco sAMAccountType: 805306368 userPrincipalName: cisco@lab.local objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local mail: cisco@lab.local userPrincipalName: cisco@lab.local objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local |
ADSI Edit
LDP
References
Link | Description |
Cisco NAC Profiler Reference to ADSIEdit | Guide on using ADSI Edit to configure the Cisco NAC Profiler for LDAP polling |
Microsoft ADSI Edit Reference | Reference on installing and using ADSI Edit |
Microsoft Support Tools Description | Microsoft site explaining the tools provided in the Microsoft Support Tools download package |
Microsoft Support Tools Microsoft Download Site for Windows XP and Windows 2003 | Support tools package including LDP, ADSI Edit, ktpass, and other tools. These tools support Windows XP and Windows 2003 SP2 |
Microsoft Support Tools download site for Windows Vista and Windows 7 | Support tools package including LDP, ADSI Edit and other tools for Windows Vista and Windows 7. It is included by default on Windows 2008 domain controllers |
Softerra LDAP Browser | LDAP Browser |
LDP Microsoft reference | Microsoft reference on LDP |
LDAPsearch man page | OpenLDAP ldapsearch man page |