Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All


Updated: November 25, 2009

Applies To: Windows Server 2008 R2

Lightweight Directory Access Protocol (LDAP) is the standard protocol that directory clients use to gain access to data that is held by directory servers. LDAP supports a relatively simple set of operations, such as bind, unbind, read, and modify. LDAP is the primary interface to Active Directory Domain Services (AD DS), and it is responsible for packaging and interpreting LDAP packets over the network.


The following is a list of all aspects that are part of this managed entity:

Name Description


Lightweight Directory Access Protocol (LDAP) communications between client computers and server computers can be encrypted with LDAP over Secure Sockets Layer (SSL) connections. You can configure Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to support LDAP over SSL.

LDAP signing

To enhance the security of directory servers, you can configure both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to require signed Lightweight Directory Access Protocol (LDAP) binds.

Unsigned network traffic is susceptible to replay attacks, in which an intruder intercepts an authentication attempt and the issue of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. In addition, unsigned network traffic is susceptible to man-in-the-middle attacks, in which an intruder captures packets between the client computer and the server, modifies the packets, and then forwards them to the server. When this behavior occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

Consider enhancing the security of your domain controllers by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.

Related Management Information

Active Directory

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft