LDAP vs. ADSI in manipulation of Active Directory Users

Question

I have been requested to expose a web service for managing Active Directory Users via an intranet. I have been advised that LDAP is viewed as a security vulnerability and is not to be used.

Given this constraint, I have managed to connect via ADSI with a DirectoryEntry object like this:

DirectoryEntry de = new DirectoryEntry();
de.Path = "WinNT://TheDomain.local";
de.Username = "NTUser1";
de.Password = "pwdpwdpwd2";

I can loop through the children of this DirectoryEntry get the ones that are users. On the Users, I can see these basic properties: UserFlags, MaxStorage, PasswordAge, PasswordExpired, LoginHours, FullName, Description, BadPasswordAttempts, LastLogin, HomeDirectory, LoginScript, Profile, HomeDirDrive, Parameters, PrimaryGroupID, Name, MinPasswordLength, MaxPasswordAge, MinPasswordAge, PasswordHistoryLength, AutoUnlockInterval, LockoutObservationInterval, MaxBadPasswordsAllowed, objectSid.

There are a number of User properties that are visible in the Active Directory MMC that are not accessible from the DirectoryEntry object including: LastName, NameSuffix, Department, etc...

These other properties are all documented in msdn as being exposed by IADsUser (http://msdn.microsoft.com/en-us/library/aa746340%28VS.85%29.aspx).

1) Is LDAP actually a vulnerable protocol? More so than the ADSI (WinNT) connection shown above? LDAP seems to be pretty common for this purpose.

2) How can I retrieve/set these other properties of the User?

TIA

Answer 1

http://www.techgalaxy.net/Docs/Dev/Using_ADSI_and_LDAP_with_AD.htm explains the difference between LDAP and ADSI: http://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx includes illustrations.

In short, ADSI is a simplified wrapper around LDAP. If there's any insecurity to it, it's in the binding, which here appears to be SIMPLE (unencrypted plaintext username and password). If you bind the LDAP connection using any other method (or over an SSL connection), it should be secure.

Answer 2

1- LDAP packet transmission is performed as plaintext, so somebody can capture your data. If you use LDAPS protocol or TLS-enable your LDAP connection, it is safe. ADSI is just an implementation of LDAP client by Microsoft, and it supports both LDAP and LDAPS connections. When you use ADSI against your corporate Active Directory, it primarily tries to start a LDAPS connection. So you are safe of you use ADSI; or you can use any other client or programming library as well if you use secure connection. the default port for LDAPS is 636.

2- To get more information about directory objects, you can use the GetInfoEx method, it loads exactly the attributes you want. Below you can see an example: http://msdn.microsoft.com/en-us/library/aa746411%28v=vs.85%29.aspx

But some of the properties that you look for, are stored in the Active Directory by attribute names different from the MMC console. e.g. First name is stored as 'givenName' and Last name is stored as 'sn'. Look here to find names of attributes you need;

You can find more information here.