What is Port 389?

by Colin Cohen | Published on November 13, 2023

Port 389 is for making LDAP connections so users can access protected network resources. These connections grant LDAP clients the ability to make use of directory services on LDAP servers. Unlike when using LDAP over port 636, connections made over port 389 are unencrypted.


TCP 389 Explained

Directory services, such as Microsoft Active Directory (now known as Entra), use port 389 to connect LDAP clients and servers. When a user requires these services, such as when logging into their organization’s network or looking up an email address of someone within the organization, their LDAP client makes the request over the port.

How LDAP Port 389 Works

LDAP over port 389 works by having an LDAP client initiate a connection to an LDAP server to make queries to the server about a particular resource. This process works as follows:

  • The LDAP client connects to the LDAP server over port 389 without encryption.

  • The client initiates a search query on the server.

  • The server authenticates the user.

  • The server performs the search and sends information about the resource to the client.

  • The LDAP connection closes, and the user accesses the resource.

Is TCP Port 389 Encrypted?

When using LDAP over port 389, you do so without encryption. If you want to use LDAP over an encrypted connection, you do so over port 636.

What is Port 389 Used For?

You use port 389 for making LDAP connections. These connections allow users access to directory services, which in turn allows them to access network devices and organizational data.

Devices That Rely on LDAP 389

Most user devices within an organization rely on LDAP for accessing directory services over port 389 or port 636. These devices can be desktop computers, laptops, tablets, and phones. Other organizational devices, such as network printers, also depend on LDAP so users can find and access them.

User Authentication Over LDAP Port 389

LDAP servers authenticate users before providing directory services over port 389. This is because the data stored on them is often confidential or sensitive in nature. Once a user is authenticated, its client can then query data that user is authorized to access.

LDAP Port Manages Address Book Services

You can think of directory services as digital address books. When a user within an organization wants to send an email to another person in the organization, they use LDAP much the way they would use a physical address book. They query the LDAP server for the address as they type this person’s name, and the server responds with the set of addresses that matches the query.

Centralized Storage of Organizational Data and TCP 389

Organizations often use directory services such as Microsoft AD (now known as Microsoft Entra ID) as a central repository of organizational data. When someone within the organization needs this information, they query the LDAP server over port 389 or port 636 to retrieve it.

What is Lightweight Directory Access Protocol?

LDAP allows users in an organization to access protected resources over port 389 or port 636. Port 389 is for unencrypted connections, while port 636 is for encrypted ones.

LDAP Explained

LDAP is a protocol that facilitates directory services such as Microsoft AD (Entra). These services allow users in an organization to access protected resources such as email addresses and network printers over port 389 or port 636.

How LDAP Manages Directory Services

LDAP manages directory services by allowing LDAP clients to query LDAP servers over port 389 or port 636. Once a user has been authenticated, the server returns data relating to the resource back to the client, allowing the user to access the resource.

Does LDAP Port 389 Use Other Protocols Besides LDAP?

When using LDAP over port 389, you also use a combination of TCP and UDP transport protocols. These protocols facilitate communication between two devices over the port.

Understanding TCP Port 389 and Port 636

Both port 389 and port 636 are dedicated to LDAP. Port 389 is for unencrypted connections over the port, while port 636 is for encrypted ones.

What are the Security Considerations With LDAP 389?

When you use LDAP over port 389, transmissions are unencrypted, which can lead to vulnerabilities as data is transmitted in plaintext. LDAP injections are another type of vulnerability that can occur in LDAP implementations.

How to Check Your Access Controls on Port 389

Access control determines the resources a particular user can access within an LDAP directory. How you check these controls (and change them) is dependent on the directory service you have implemented within your organization.

LDAP Server Software Vulnerabilities

Unlike when using LDAP over port 636, LDAP over port 389 is susceptible to vulnerabilities due to the lack of encryption over this port. Sensitive data, such as credentials, are transmitted in plaintext. Anyone can intercept these transmissions using a packet sniffer, and can read the data contained within them.

Regardless of what port you are using or whether you are using encryption, LDAP implementations can be vulnerable to injection attacks, resulting in executing unauthorized queries and allowing improper content modification. You can mitigate these attacks by always escaping user-driven LDAP queries before processing them.

Encryption Differences Between TCP 389 and 636

If you are using LDAP over port 389, the connections you make over this port are not encrypted. If you want to encrypt LDAP connections, you should do so over port 636.

What are Potential Port Conflicts with LDAP Port 389?

If you experience port conflicts on port 389, you have two choices. You can either stop the existing service or configure multiple services to use different ports.

Can Multiple Services Interrupt Port 389?

Like with all TCP ports, only one service can listen to a particular port at a specific time. If another service is already listening to port 389, you must stop this service before starting your LDAP service.

Can You Run Multiple LDAP Services Simultaneously?

You cannot run multiple LDAP services simultaneously on the same port. But you can have multiple LDAP services running on different ports. To do this, configure the LDAP server (and all clients that connect to it) to use a port other than port 389.

Conclusion

LDAP provides directory services in a network. This allows organizations to control access to resources within their network. You can implement LDAP over port 389, but understand that this isn’t the most secure way of implementing it, as transmissions are unencrypted.

Get CBT Nuggets IT training news and resources

I have read and understood the privacy policy and am able to consent to it.

© 2024 CBT Nuggets. All rights reserved.Terms | Privacy Policy | Accessibility | Sitemap | 2850 Crescent Avenue, Eugene, OR 97408 | 541-284-5522