An internet-wide analysis of TLS configurations of public LDAP servers

LDAP is a protocol designed for querying and updating directory structures over IP. A common use case for the protocol is storing sensitive information such as passwords, creating a potential target for attackers. Despite this, we find no prior research quantifying the presence of public LDAP servers on the internet or investigating the security of these servers. This research investigates both of these points by performing an internet-wide scan for LDAP servers on well-known ports 389 and 636 and analyzing the TLS configurations of a sample of found instances. We discover over 6.6 million open ports, and observe over 29 thousand valid LDAP banners in our sample. We find major differences between port 389 and 636 in terms of preferred cipher suites and the validity of presented certificates. Some of our findings are encouraging from a security standpoint, while others leave to be desired.