1

In my windows only domain, Kerberos is used for all authentication. The domain controllers I understand replicate & authenticate using RPC. Is LDAP used for anything else? Should I close the unused 389 LDAP port on all Servers and Clients?

Does Active Directory use LDAP used for authorisation, lookup, etc.?

Improve this question
3
  • Do not disable LDAP unless you're using a test environment and you want to see what breaks. LDAP is used for AD resource enumeration, auth, etc. technet.microsoft.com/en-us/library/cc961766.aspx Commented Jan 2, 2016 at 23:00
  • LDAP is used for Service Connection Points (SCP) in the Config partition, so likely yes, LDAP is used Commented Jan 3, 2016 at 0:54
  • I presume you want file ownership & permissions to map to usernames and or group names? Commented Jan 3, 2016 at 9:28

1 Answer 1

Reset to default
2

No, you should not. LDAP is fundamental to many processes in Active Directory. For example:

  • When you perform an interactive logon on a client, the client performs a series of DNS lookups to determine the best domain controller, then performs a series of tests on tcp/389.
  • The Active Directory schema is downloaded to the client using LDAP on tcp/389.
  • The Group Policy Client uses LDAP to retrieve the policy information component which is stored in Active Directory.
  • Many of the command line tools and system-integrated management tools use LDAP (Active Directory Users and Computers, Active Directory Sites and Services, etc).
  • A TON of other stuff.

It's fairly easy to perform a network packet capture to confirm this.

It sounds like you may be confusing NTLM with Kerberos. It may be possible to use Kerberos in place of NTLM/2, although the client will attempt to fall back to NTLM/2 if Kerberos authentication is not possible.

Additionally, it is not possible to use only LDAPS tcp/636 in place of tcp/389 if you have certificates installed on your domain controllers. This would not provide any useful benefit, as LDAPS is primarily intended for applications that authenticate using a simple bind (username+password).

Improve this answer
4
  • There are two additional notes to otherwise wonderful answer: - LDAP tcp/389 is used normally within Active Directory for simple binds by enforcing STARTTLS extension; it also is used with GSSAPI binds. - LDAP udp/389 is known as Connectionless LDAP and is used by AD clients to discover domain controllers and certain capabilities of those servers. Commented Jan 3, 2016 at 22:36
  • @greg-askew 1. Isn't RPC used for all this as well? 2. So Kerberos is used for authentication and LDAP for authorisation? Commented Jan 4, 2016 at 5:03
  • @Reemus, see my comment to the other answer. Commented Jan 4, 2016 at 8:03
  • @Remus: apparently not. Commented Jan 4, 2016 at 9:00

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.