LDAP(S) Troubleshooting

Author : Dennis van der Made / Ricoh Europe PSSC

Date : 14 January 2020
Latest update : 21 January 2020
Target Audience : Ricoh service engineers / customer IT staff
Questions / Feedback : [email protected]
Index
Introduction ............................................................................................................................................ 2
Terminology ............................................................................................................................................ 3
LDAP / LDAPS .......................................................................................................................................... 4
Microsoft security update....................................................................................................................... 5
Ricoh MFP configuration......................................................................................................................... 7
Search base ............................................................................................................................................. 9
Recommended settings ........................................................................................................................ 10
Troubleshooting .................................................................................................................................... 11
Ricoh system log error messages .......................................................................................................... 12
Test environment .................................................................................................................................. 13

Introduction
Microsoft will introduce a security update / patch in March 2020 (link) related to LDAP connections.
Enhancing security is obviously a good thing, but it can cause problems when the security
enhancement leads to existing connections to fail.
Because the mentioned security update will be rolled out that almost all Microsoft OS’ it is to be
expected that customers can run into problems. These problems will probably occur when the
customer is not using a ‘secure’ LDAP connection and can often be resolved by changing device
settings. This ‘LDAP(S)’ troubleshooting’ document intends to provide detailed information on how
to configure the LDAP settings on a Ricoh device and how to troubleshoot reported problems.
This document does not contain sensitive information and as such can be shared with customers.

If you have any questions and/or remarks regarding this document, please send me an email!

2
Terminology

AD : Active Directory
CA : Certificate Authority
Cleartext authentication : LDAP authentication using cleartext username/password
Digest-MD5 : LDAP authentication using Digest-MD5
DNS : Domain Naming Service
FQDN : Fully Qualified Domain Name (e.g. hostname.domain.name)
Global Catalog : Collection of information from all domains within a forest
IP address : Internet Protocol address (e.g. 192.168.1.10)
LDAP : Lightweight Directory Access Protocol
LDAP : ‘Normal’ LDAP on TCP port 389 (not encrypted)
LDAPS : ‘Secure’ LDAP on TCP port 636 (encrypted using SSL/TLS)
SASL : Simple Authentication and Security Layer (e.g. Digest-MD5)
SSL/TLS : Encrypted connection using SSL or TLS

3
LDAP / LDAPS
The Lightweight Directory Access Protocol (LDAP) can be used to retrieve information from an Active
Directory or LDAP server. For example, the email address of specific person or all persons which
name starts with ‘John’ can be retrieved using LDAP.
It goes without saying that the connection with the LDAP server can be setup in more than one-way;

LDAP/LDAPS default ports:

TCP port 389 - LDAP (unencrypted)
TCP port 636 - LDAPS (encrypted using SSL/TLS)
TCP port 3268 - LDAP Global Catalog
TCP port 3269 - LDAPS Global Catalog

Secure or not secure; when connecting to a LDAP server using port 389, the connection between the
LDAP server and LDAP client is not encrypted. When ‘cleartext authentication’ is used, this will mean
that the username and password (which is used to authenticate against the LDAP server) is send in
plain text, so in case someone can intercept this information it is easy to obtain sensitive
information.
Using encryption is a big improvement, as this will make this information impossible (or at least very
difficult) to read. LDAPS typically uses port 636 and uses SSL or TLS to encrypt the data.

Global Catalog; when using the standard ports 389 or 636, a typically LDAP search will also return
one or more LDAP ‘referrals’. These referrals can be useful in case a specific user cannot be found on
the LDAP server we are connected to, however, Ricoh devices will always try to connect to all LDAP
referrals, even when the LDAP search itself was successful. As such, using the standard LDAP ports
389 or 636 can cause performance issues or other seemingly unexplainable issues.

Screenshot above: an example of an LDAP referral

To prevent these issues, it is recommended to use the ‘Global Catalog’ (un-encrypted on port 3268
or encrypted on port 3269). The ‘Global Catalog’ includes all information on all domains included in a
forest (a ‘forest’ is the top-level container of a Microsoft Active Directory and contain one or more
domains). Most customers only use one domain, so using the ‘Global Catalog’ should not be any
different compared to using the normal ports (389 or 636), except for the LDAP referrals.

4
Microsoft security update

The Microsoft update related to LDAP (planned for March 2020) intents to improve security by
letting the LDAP server enforce LDAP signing (for un-encrypted LDAP connections) and LDAP Channel
Binding (for encrypted LDAP connections using SSL/TLS)

LDAP Signing (‘How to enable LDAP signing in Windows Server 2008’ (link))
Microsoft explains this as follows:
"The security of a directory server can be significantly improved by configuring the server to
reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing
(integrity verification) or to reject LDAP simple binds that are performed on a clear text
(non-SSL/TLS-encrypted) connection"

This means that ‘LDAP simple binds’, which Ricoh often calls ‘Cleartext authentication’ will no longer
work, because the LDAP server will reject any connection using a simple bind. It is worth pointing out
that cleartext authentication really means that username and password are send from the MFP to
the LDAP server in plain text, as seen in the below screenshot:

Screenshot above: simple bind / cleartext authentication as seen in captured network data

In case the LDAP server rejects an incoming ‘simple bind’, the following message should appear in
Ricoh MFP system log:
#[ldap(22)]20/01/13 10:38:21 bind : Strong(er) authentication required(8) ERR

Similar information can also be found in the LDAP server log and even in the network data itself, so
this ‘error’ should be quite obvious.

5
’strongAuthRequired’ means that the LDAP server does not accepts ‘simple bind’ connections

The second part related to ‘LDAP Signing’ refers to LDAP connections that use ‘SASL’ (e.g. Digest-
MD5) for authentication; these connections will require ‘signing (integrity verification)’ for the LDAP
server to accept the connection. Unfortunately the Microsoft article does not explain how this
‘signing’ can be recognized, and as such it is currently not possible to provide any additional
feedback, apart from the Ricoh MFPs can still connect to the LDAP server when ‘signing’ is required,
so it should work.

Enabling LDAP signing can be done via (local) Group Policy, or by modifying the ‘LDAPServerIntegrity’
registry entry under
‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters’

These are the possible values for ‘LDAPServerIntegrity’:

0 = disabled
1 = enabled, when supported by client
2 = enabled, always (required)(this will probably be the ‘default’ setting after the patch is applied)

Please refer to the Microsoft article for more information.

Channel Binding (‘Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over
SSL/TLS more secure’ (link))
The available information from Microsoft regarding ‘Channel Binding’ is limited, however, channel
binding should help in countering ‘replay attacks’ in which encrypted network traffic is intercepted
and used to attack a server by sending the same data again.
Seeing that limited information is available, it difficult to point out how Channel Binding influences a
LDAPS connection. Based on tests with the below registry value set to ‘2’ (enable, required) we can
say that it should work.
Channel Binding is related to LDAPS connections and can be enabled by changing the value of the
‘LdapEnforceChannelBinding’ registry entry under
‘HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters’

These are the possible values for ‘LdapEnforceChannelBinding’:

0 = disabled
1 = enabled, when supported by client
2 = enabled, always (required)(this will probably be the ‘default’ setting after the patch is applied)

Please refer to the Microsoft article for more information.

6
 Ricoh MFP configuration
Configuring an LDAP(S) connection on a Ricoh device can be tricky, simply because entering the
‘wrong’ information can cause the LDAP connection to fail. For example, when using ‘cleartext
authentication’ it is often required to use the ‘domain\username’ syntax (without the domain name
authentication might fail), but when using Digest-MD5 authentication, only the username should be
used; adding the domain name will result in a failed authentication.
When using LDAPS is it mandatory to use the FQDN (e.g. hostname.domain.name) of the LDAP
server otherwise the connection will fail. For LDAP connections both FQDN and IP address can be
used.
Below is a short overview:

LDAP (port 389 / 3268) LDAPS (port 636 / 3269)

Server Name : IP address or FQDN Server Name : FQDN
Port Number : 389 or 3268 Port Number : 636 or 3269
Cleartext SSL : off SSL : on
authentication Authentication : Cleartext Authentication : Cleartext
Username : domain\username Username : domain\username

Server Name : IP address or FQDN Digest-MD5 authentication does not seem to

Port Number : 389 or 3268 work in combination with SSL/TLS
Digest-MD5 SSL : off
authentication Authentication : Digest-MD5
Username : username
Note : requires DNS ‘reverse lookup’

7
The screenshoots below include some example on how LDAP connection can be configured:

LDAP configuration for LDAP – Global Catalog (port 3268) with Digest-MD5 authentication (only the ‘username’ is required)

LDAP configuration for LDAPS – Global Catalog (port 3269) with cleartext authentication (LDAPS requires FQDN)

Digest-MD5 uses a DNS ‘reverse lookup’ to ensure it is connecting to a valid LDAP server. Below is an
example of such a reverse lookup. Please refer to the ‘test environment’ topic for more information

DNS ‘reverse lookup’ should return the FQDN which is in use by a specific IP address

8
Search base
The ‘search base’ that can be configured on a Ricoh device indicates the starting point of an LDAP
search. The most top level search base will typically be the same as the domain name, which means
that an LDAP search will include all groups included in the AD or LDAP server. Using the domain
name as search base has the advantage that an LDAP search will always be ‘complete’ (because all
groups are included), but the downside might be poor performance, as it simply takes more time to
search all groups within the domain. In case the customer has included all users into a single group,
it would make sense to include this group into the search base.

The command line command ‘gpresult /r’ can be used to check the group that the currently logged
on user is part of (can be done on a server or workstation/laptop) under ‘User Settings’. Note that
the domain part can contain more than two ‘DC’ objects

The ‘ldp’ application (see ‘troubleshooting’) can also provide insight into which groups are used

LDAP uses the following object identifiers:

DC = Domain Component
OU = Organizational Unit
CN = Common Name

The test environment used to test the upcoming Microsoft security patch uses the domain name
‘forest.run’ and all users are part of the ‘users’ group. This means that for our test environment, the
‘top level’ search base would be ‘dc=forest, dc=run’.
Seeing that all users are located in the ‘users’ group, the search base can be limited to ‘cn=users,
dc=forest, dc=run’. Limiting the LDAP search to only one group will increase performance, but it also
means that an LDAP search will only returns users that are part of that specific group.
Note that a ‘group’ can use either the ‘OU’ or ‘CN’ object identifiers

9
Recommended settings
The following Ricoh device settings are recommended from a security point of view:

1) LDAPS (enable SSL) with Cleartext authentication (encrypted communication)

2) LDAP (disable SSL) with Digest authentication (encrypted authentication)

In order to ensure that an LDAP search takes as little time as possible, please keep the following in
mind:

Use of the ‘Global Catalog’ (port 3268 for LDAP, port 3269 LDAPS) is recommended, so only use the
‘normal’ LDAP port (port 389 for LDAP, port 636 for LDAPS) if using the Global Catalog is not possible

Please confirm with the customer which search base to use; limiting the search to a specific group
can increase performance, but it can also mean incomplete search results.

10
Troubleshooting
Troubleshooting a LDAP(S) connection can be done using various software and from different
‘locations’

On the LDAP server itself:

-Analyze LDAP server logs for errors
-Install Wireshark on the server and analyze network data
-In case the LDAP server is running on Microsoft OS, use the ldp (link) application to test the
connection to the local LDAP server. Using ldp, it is easy to quickly test if the changes made to the
registry are applied correctly, for example to see if ‘simple bind’ still work (should not be possible
after changing the ‘LDAPServerIntegrity’ registry setting to ‘2’ (enabled, required)

Left: ldp connection options

Right: ldp ‘bind’ options

On the Ricoh device:

-Check the device system log for error message related to LDAP connections
-The ‘Connection Test’ button (will setup a ‘complete’ connection)
-Perform an actual ‘LDAP search’ to ensure that the correct ‘search base’ is used

Other options are:

-Use a LDAP browser from another workstation connected to the (customer’s) network
-Capture network data using a ‘port monitor’ session

11
Ricoh system log error messages
Testing the LDAP connection can be done using the ‘connection test’ button, but will only return a
‘success’ or ‘failure’. In case the connection test fails, the ‘system log’ (Web Imager Monitor →
Configuration → Network → System Log) should include some information related to the failure, some
examples below:

#[ldap(22)]20/01/13 10:38:21 bind : Strong(er) authentication required(8) ERR:

'Stronger authentication' refers to simple bind using LDAP (cleartext authentication) not being
allowed by the LDAP server. Either use Digest-MD5 authentication or switch to LDAPS (SSL/TLS) to
'fix' this.

#[ldap(22)]20/01/14 10:41:16 bind : Can't contact LDAP server(-1) ERR:

'Can't contact LDAP server' means that the connection to the LDAP server cannot be completed.
This can be caused by using an incorrect IP address or incorrect FQDN. Another possibility is that the
IP address of the LDAP server is used where the FQDN is required (LDAPS)

#[ldap(22)]20/01/13 11:08:58 bind : Invalid credentials(49) ERR:

'Invalid credentials' can simply mean that a wrong username/password is used. It can also mean that
the used account does not have sufficient access rights, however, it can also mean that an incorrect
syntax is used; plaintext authentication often requires the 'domain\username' syntax, where Digest-
MD5 works with the username only

12
Test environment
Testing LDAP connection and the effect of the Microsoft security update is best done by;

1) Install a clean Windows Server OS (Server 2016 or Server 2019).

2) Install the ‘Active Directory Domain Services’ and ‘DNS’ server roles for a ‘stand alone’ setup
3) Run ‘DC promo’ to promote the AD server to Domain Controller
4) Add at least one ‘normal’ user to the AD (make sure to add an email address)
5) Add a ‘reverse lookup’ zone to the DNS role and add a PTR record for the server
6) Install the ‘Active Directory Certificate Services’ role

When the above steps are completed LDAP should work on port 389 and LDAPS should work on port
636. Use ‘ldp.exe’ to test if LDAP(S) indeed works correctly, then move on to configuring a Ricoh
MFP.

DNS Manager showing ‘reverse lookup’ zone

The ‘Global Catalog’ will be available on the first install domain controller by default. To check if a
specific domain controller also is available as Global Catalog, run the command
‘dsquery server –forest –isgc’

The output of the ‘dsquery server –forest –isgc’ command will be one or more domain controllers that are available as Global Catalog

13