OpenLDAP
Status: Final
OpenLDAP is the most widely deployed open-source LDAP server. It underpins Linux identity in many enterprises and cloud environments, often as a backend for SSSD, FreeIPA, and custom application authentication.
Architecture
- slapd: standalone LDAP daemon (the server process)
- libldap: client library
- Backend databases:
mdb(LMDB),bdb(legacy BerkeleyDB) - Replication: SyncRepl (RFC 4533) — provider/consumer model
Key Security Configuration
| Setting | Description | Hardening |
|---|---|---|
olcTLSCACertificateFile | TLS CA cert | Require TLS for all binds |
olcRequires: authc | Require authentication before any operation | Enable |
olcSecurity: ssf=128 | Require 128-bit encryption | Enable |
| Password storage | {SSHA}, {ARGON2}, etc. | Never use {CLEAR} or {MD5} |
| Anonymous bind | Disabled vs. allowed | Disable unless required |
| ACLs | Who can read/write which attributes | Deny by default |
LDIF and Schema
OpenLDAP uses LDIF (LDAP Data Interchange Format) for all configuration and data:
dn: uid=jsmith,ou=users,dc=corp,dc=com
objectClass: inetOrgPerson
uid: jsmith
userPassword: {SSHA}...
Attack Surface
| Attack | Method |
|---|---|
| Anonymous bind enumeration | If anon bind enabled, enumerate all users/groups without credentials |
| Credential brute force | LDAP simple bind against slapd |
| Cleartext password interception | LDAP on port 389 without TLS — credentials transmitted in clear |
| LDAP injection | App builds LDAP filter from user input without sanitization |
| Replication interception | SyncRepl without TLS — full directory replication stream |
| Misconfigured ACLs | Read userPassword attribute if ACL missing |
Cross-Links
| Topic | Link |
|---|---|
| LDAP in Active Directory | ldap |
| FreeIPA | freeipa |
| Linux SSSD | linux-sssd |