Questions tagged [ldap]
The Lightweight Directory Access Protocol is an application protocol for reading and editing directories that follow the Directory Information Model over an IP network using unsecured TCP/IP, TLS or SSL. LDAP is a binary protocol described in terms of ASN.1 and transmitted using ASN.1 Basic Encoding Rules.
84
questions
0
votes
1
answer
1k
views
Perfect DMZ: LDAP auth to AD
My goal is to integrate a public facing service with AD using LDAP.
While I vouch for federated approach to user authentication, the business dictates LDAP.
We run a DMZ subnet and I insist on not ...
0
votes
0
answers
1k
views
evil-winrm error connecting
I can't connect using evil-winrm directly. But when I use exegol it works
command used:
evil-winrm -i ip -u 'user' -p 'password'
error using evil-winrm:
Error: An error of type OpenSSL::Digest::...
1
vote
1
answer
339
views
Best practice for "stateOrProvinceName" in certificate
In RFC-4519 stateOrProvinceName is abbreviated to ST. Should we assume that it is best practice to put ST=<name-of-state> in the certificate if the state or province is indicated? After all X-...
0
votes
0
answers
568
views
Metasploit module for NULL LDAP credentials
This article covers the solution for the LDAP challenges on a capture the flag.
I understand how the first example works, using the NULL value for the username and password to authenticate to the LDAP ...
0
votes
2
answers
516
views
How different ldap implementations are generating random salt?
I am currently generating a salted SHA 256 passwords in the below format
$hash = "{SHA256}".base64_encode(hash('sha256', $password . $salt) . $salt) .
Using the below libraries of Java ...
0
votes
0
answers
19
views
Should a wildcard cert. e.g. *.example.com, be accepted to authenticate the root domain not listed as SAN? [duplicate]
(This has been marked a duplicate of SSL Cert for sub.domain.com and www.sub.domain.com, but while it's correct that the answer to this question is present in the answers there, that question is ...
1
vote
1
answer
3k
views
Is LDAPS or StartTLS more secure?
This question has been asked and answered here, here, and also basically here. I'm asking again because the answers and information is conflicting.
LDAPS:
According to Wikipedia (and its RFC sources) ...
0
votes
1
answer
474
views
How to change the password hashing scheme in LDAP using an external library with slapd.d config
I am trying to change the password hashing scheme for LDAP. Hypothetically, let's assume it's pw-argon.so
I don't have slapd.conf I have the slapd.d directory where I can make changes dynamically to ...
0
votes
1
answer
792
views
How to overcome MD4 hashing in SAMBA
We are using a Samba configuration on our RedHat (RHEL7.9) systems, where SMB authentication is based on an NTLM password hash, which is basically a clear-text credential for a challenge-response ...
0
votes
0
answers
1k
views
What does LDAP have to do with X.509 Certificates
I'm working with certificates programmatically through .NET. I usually give the certificate a DN by giving it string like this: "c=eg,s=cairo,st=Nozha,cn=Foo Ltd.,..”
But there is another way to ...
0
votes
1
answer
1k
views
LDAP StartTLS encryption - which TLS versions are supported?
I am looking to set a third party application to authenticate with our domain. The application supports LDAPv3 and we have opted to use the start StartTLS extension to encrypt the credentials from the ...
3
votes
2
answers
1k
views
User authentication: In HTTP Server vs. in Web Application
Management decided to switch the authentication-backend from LDAP to Kerberos as LDAP is deemed "obsolete and insecure". Also they want to switch from Apache to nginx for "performance ...
0
votes
1
answer
200
views
Having a backdoor password for each user to allow impersonation
For some context, I want my api to be able to 'impersonate' (or connect as) a user on my ldap database as most of the api's access controls are on the ldap database and tied to the user you are ...
1
vote
1
answer
136
views
Is an LDAP injection possible for a basic search query?
I'm trying to secure a login endpoint by attempting to bypass the login that uses LDAP.
It employs a search query of "cn=" + username + ", dc=example, dc=com" with a filter of "(objectClass=*)".
Is ...
0
votes
1
answer
376
views
Is kerberos unconstrained delegation partially safer than constrained delegation?
When you're using unconstrained delegation, a service A is allowed to authenticate as the user B to any other service. This happens because the user B sends its TGS along with its TGT to the service A,...