Lightweight Directory Access Protocol
LDAP is very popular both as a directory service and for authentication and authorization. It provides an excellent level of flexibility in identifying whether a User exists, whether the credentials are correct, and what groups the User is a part of (this is called group extraction).
The ports used for LDAP are as follows:
TCP 389: Standard LDAP
TCP 636: Encrypted LDAP
TCP 3268: Global catalog, unencrypted
TCP 3269: Global catalog, encrypted
Authentication flow
The following Wireshark snapshot shows what the exchange between NetScaler and the LDAP server should look like:
LDAP
The steps here are as follows:
bindRequest: Here, the NetScaler is authenticating itself to the LDAP serverbindResponse: If the method used (usually SASL – Simple Authentication and Security Layer) and the credentials provided are both okay, the LDAP server responds with a successsearchRequest: At this point, NetScaler runs through the User authentication; it starts by verifying...
