PProfessNet Academy
On-premise & data center/01intro13 min

Active Directory and LDAP in practice

In most companies with on-premise infrastructure, identity is held by Active Directory (AD) — Microsoft's directory service. Understanding AD and the LDAP protocol is the foundation for security in a hybrid environment and the entry point for the ZEUS on-prem connector.

AD structure: forest, domain, OU

ConceptWhat it is
Forestthe topmost security boundary, a set of domains
Domainthe boundary of replication and policy (e.g. corp.firma.pl)
OUOrganizational Unit — a container for objects, for delegation and GPOs
Objecta user, computer, group, service account

Domain controllers (DCs) hold the directory database and handle logons (Kerberos, NTLM). GPOs (Group Policy) enforce configuration on machines and users.

LDAP — how the directory is read

LDAP (Lightweight Directory Access Protocol) is the protocol for querying the directory. Objects have a Distinguished Name (DN), e.g.:

CN=Jan Kowalski,OU=IT,DC=corp,DC=firma,DC=pl

An LDAP query filters objects by attributes. Example — all users with an enabled account:

ldapsearch -x -H ldaps://dc01.corp.firma.pl \
  -D "CN=svc-zeus,OU=Service,DC=corp,DC=firma,DC=pl" -W \
  -b "DC=corp,DC=firma,DC=pl" \
  "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" \
  sAMAccountName memberOf

Tip: always use LDAPS (port 636) or LDAP + StartTLS. Plain LDAP (389) transmits data, including the bind, in cleartext — a security finding that ZEUS reports.

By default AD returns at most 1000 objects per query (MaxPageSize). To read the whole domain (tens of thousands of objects), you must use a paged search — fetching results in pages with a continuation cookie. This is an absolute fundamental of correct directory inventory.

Key objects for security

  • Privileged groupsDomain Admins, Enterprise Admins, Schema Admins,
  • service accounts with an old password or an SPN (Kerberoasting risk),
  • accounts with PASSWD_NOTREQD or with no password expiration,
  • inactive accounts that are still enabled.

How ZEUS sees it

The ZEUS on-prem connector performs a paged LDAP query over LDAPS, using a dedicated service account with read-only permissions. It reads the whole domain — users, groups, computers, service accounts — and on that basis builds identity posture: who belongs to privileged groups, which accounts are risky, where password hygiene is missing. We cover the full mechanics (reverse-SSH tunnel + AD/ADFS scan) in lesson 06.

In the next lesson: vCenter/vSphere and the inventory of virtual machines.