T 3.89 Errors in the configuration of LDAP access to directory services

LDAP is particularly suited for use as a protocol for accessing directory services when the directory services are accessed using other applications, for example Internet or intranet applications. However, the following problems can arise if access to LDAP is configured incorrectly:

• Incorrect assignment of access rights and the ability to access the directory service without authorisation
  
  Using directory services from different manufacturers can result in problems with the LDAP settings that are based on extensions of a particular directory service, for example Active Directory or Novell eDirectory. Furthermore, it is possible to assign users the wrong rights due to the use of incompatible LDAP syntaxes. As a result of this, it may be possible for users to unintentionally access areas that they actually should not have any right to access.
• Transmission of user passwords as plain text and spying on unencrypted information
  
  Since LDAP is a purely text-based protocol, all information, even including user passwords, are transmitted as plain text and could be spied on during transmission. For this reason, LDAP should be provided with additional protection, for example using SSL encryption. However, there are many ways to incorrectly configure SSL encryption, and they can all result in a lower level of security.
• Errors in LDAP accesses, especially for network-based applications
  
  In this case, attempts to log in may fail occasionally even though the correct authentication information was used. This could be caused by differences in the LDAP configurations of the individual components of the directory service, for instance.
• Impaired availability of the directory service due to the LDAP encryption settings
  
  The availability of large portions of the directory service can be severely impaired by faulty configurations, executing procedures incorrectly, and activating the signature and encryption settings for LDAP in the wrong order. In large environments, it may be very difficult to restore the directory service to an operable state since many network-based administration and control functions are disrupted in such situations. The impact of such inconsistent settings may only be noticed after a certain period of time under some circumstances.
• Inadequate productivity of the overall system due to the use of different LDAP versions
  
  If the clients support different LDAP versions, then there may be different configuration options available under certain circumstances. If clients use an older version of LDAP, for example, the older version may not support new command sets or there may still be vulnerabilities in the functions provided, etc. Even when the clients do support the different LDAP versions, the associated configuration options resulting from this support can lead to errors that have a negative impact on the security of operations.
• Search filters that are not restricted or restricted insufficiently
  
  If a directory service is used as public address or certificate server via LDAP, search queries made via the Internet are responded to by the directory service. For example, the corresponding certificate for a possible encryption is transmitted after an e-mail address has been entered. If the search and return criteria are not restricted, internal information may be disclosed to the outside world via these queries. If, for example, a company allows the use of placeholders (so-called wild cards) for searches and does not restrict the output for the response either, the entire directory can be read with just a single query. Searching for the certificate related to the *@* address would then result in a complete list of all e-mail addresses of the organisation's employees as output. This list can be used to send spam or to prepare targeted attacks (see T 5.42 Social Engineering).