Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Open port 389: Lightweight directory access protocol (LDAP)

Author: Government Digital Service

Open port 389: Lightweight directory access protocol (LDAP)

What this means

Lightweight Directory Access Protocol (LDAP) is a protocol used for querying directory services for authentication and authorisation information.

The most popular directory services that use LDAP are Active Directory and OpenLDAP.

LDAP operates on port 389 where data is transmitted in plain text (unencrypted) and 636 (encrypted). If these ports are left open to the internet or an untrusted network, attackers may be able to query or manipulate directory service data.

Why this is a problem

LDAP contains a crucial role in grouping and securing access to resources within an organisation, therefore it is critical to secure it against an attacker to prevent unauthorised access to sensitive data.

By the nature of the directory services, LDAP needs to be available within the organisation network to service authentication and authorisation requests, however it should not be visible externally.

An open LDAP port on an untrusted network poses several security risks, including:

  • unauthorised data access: attackers can query user information, including usernames, group memberships, email addresses, and organisational details
  • credential harvesting: if authentication is misconfigured, attackers may obtain credentials for further attacks
  • vulnerability to attacks: this lack of encryption makes FTP susceptible to attacks like packet sniffing, brute-force attacks, and man-in-the-middle attacks
  • Man-in-the-Middle (MitM) attacks: unencrypted LDAP traffic can be intercepted and modified
  • Denial of Service (DoS) attacks: open ports can be exploited to flood the server with requests, making the service unavailable

How to check if the problem is there

Run the following command to check if your LDAP port is accessible from an untrusted network.

Using netstat (Linux or MacOS):

netstat -tulnp | grep :389

If the output shows LDAP listening on 0.0.0.0 or a public IP, it is exposed.

Using ss (Linux):

ss -tulnp | grep :389

Similar to netstat, this checks for active ports.

Using telnet:

telnet your-ldap-server.com 389

If the connection is successful, the port is open.

Using nmap (Network Scan):

nmap -p 389,636 your-ldap-server.com

If the scan returns “open,” the port is accessible.

Using the above tools from within a trusted network may result in the LDAP port showing as open, this is not necessarily a vulnerability. System administrators should enable LDAPS instead to reduce attack surface.

How to fix this

Restrict network access

Carry out the following actions:

  • remove any inbound firewall or port forwarding rules allowing port 389
  • configure firewall rules to allow connections only from trusted IP addresses
  • disable the services if not required

Enable Secure LDAP (LDAPS)

If LDAP is required, use LDAPS (port 636) with TLS encryption and carry out the following steps:

  1. Obtain an SSL certificate.
  2. Configure the LDAP server to require TLS.
  3. Update client configurations to connect securely.

Disable anonymous bindings

Ensure that anonymous access is disabled in the LDAP configuration.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now