Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol: The protocol accessing data from directory services like [http://www.openldap.org/ OpenLDAP], [http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx Microsoft Active Directory], [http://enterprise.netscape.com/ Netscape Directory Server] or [http://www.novell.com/products/edirectory/ Novell eDirectory].
LDAP was developed as simple access protocol for ["X.500"] databases.
- ["TCP"]/["UDP"]: Typically, LDAP uses ["TCP"] or ["UDP"] (aka ["CLDAP"]) as its transport protocol. The well known TCP and UDP port for LDAP traffic is 389.
- ["SSL"]/["TLS"]: LDAP can also be tunneled through ["SSL"]/["TLS"] encrypted connections. The well known TCP port for ["SSL"] is 636 while ["TLS"] is negotiated within a plain ["TCP"] connection on port 389.
TODO: - Add example traffic here (as plain text or Wireshark screenshot).
The LDAP dissector is (fully functional).
TODO: - Add links to preference settings affecting how LDAP is dissected.
Example capture file
attachment:SampleCaptures/ldap-controls-dirsync-01.cap Sample LDAP PDU with DIRSYNC CONTROLS
attachment:SampleCaptures/ldap-krb5-sign-seal-01.cap Sample GSSAPI-KRB5 signed and sealed LDAP PDU
A complete list of LDAP display filter fields can be found in the [http://www.wireshark.org/docs/dfref/l/ldap.html LDAP display filter reference]
Show only the LDAP based traffic:
You cannot directly filter LDAP protocols while capturing. However, if you know the ["TCP"] port used (see above), you can filter on that one.
Capture LDAP traffic over the default port (389):
tcp port 389
[http://www.ietf.org/rfc/rfc1777.txt LDAPv2 - RFC 1777]
[http://www.ietf.org/rfc/rfc2251.txt LDAPv3 - RFC 2251]
[http://blog.eukhost.com/2006/11/02/lightweight-directory-access-protocol Summarization of LDAP]