This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

LDAP: connection string

Is there a way in wireshark that I can see the LDAP connection string? ie. LDAP://server:port/....

I have captured the traffic and see LDAP packets, but not sure where to look for this string.

Thanks.

ldap

asked 30 May '13, 09:05

malhenry
21●5●5●9
accept rate: 0%

I am trying to debug a failed bind request...thanks.

(30 May '13, 09:07) malhenry

2 Answers:

That string will not appear in the capture file. As it is a configuration item which tells the system to open an LDAP session to port "port" on "server". So when you do find the ldap packets, look at the requests and then use the IP destination as "server" and the TCP destination port as "port". Be aware though that there might have been a hostname configured, not an IP address. So if you are capturing on the device that is initiating the LDAP session, look for DNS requests too...

answered 30 May '13, 09:15

SYN-bit ♦♦
17.1k●9●57●245
accept rate: 20%

I know the server and port. I am really looking for what is being passed as the rest of the connection string...such as the user which can be specified in more than one format. My reason for doing this is one client program can successfully authenticate, but another fails with bad user or pw. Not that it matters, but I am authenticating (trying) to a windows AD LDS instance. Thanks.

(30 May '13, 11:17) malhenry

also I am attempting to use the same credentials in each of my two client programs.

(30 May '13, 11:18) malhenry

such as the user which can be specified in more than one format. My reason for doing this is one client program can successfully

Look for LDAP bind requests and for LDAP bind responses.

Filter: ldap.bindRequest or ldap.bindResponse

Then open the LDAP fields in Wireshark and check if you can find the reason.

However: There are several ways to protect the authentication information (SSL/TLS, SASL, etc.), so you might not see anything useful.

If the client does not use SSL/TLS and the authentication scheme is 'simple' you will be able to see the user and the password, as well as the error message of the LDAP server.

Regards
Kurt

(30 May '13, 12:20) Kurt Knochner ♦

As long as this is in clear text, you should be able to see the request:

27842 2013-06-02 06:00:28.623270000 macbkpro.willeke.com sa.willeke.com LDAP 135 bindRequest(1) "cn=user1,ou=users,dc=willeke,dc=com" simple

an d response: 42775 2013-06-02 06:03:53.739349000 sa.willeke.com macbkpro.willeke.com LDAP 119 bindResponse(1) invalidCredentials (NDS error: failed authentication (-669))

-jim

answered 02 Jun '13, 03:09

jwilleke
11●1
accept rate: 0%