LDAP Honeypot
Detect unauthorized access attempts targeting LDAP directory services.
About LDAP
LDAP (Lightweight Directory Access Protocol) is the backbone of enterprise directory services like Active Directory and OpenLDAP. LDAP credentials provide access to organizational data including user accounts, group memberships, and security policies, making them extremely high-value targets in corporate environments.
What Gets Captured
When an attacker attempts to connect using your LDAP honeypot credentials, Tripwires captures:
- Bind DN - The distinguished name used in the bind request
- Source IP - The attacker's IP address
- Timestamp - Exact time of the connection
- Bind method - Simple bind or SASL mechanism used
Connection String Formats
LDAP credentials can be planted in various formats depending on your tech stack:
ldapsearch Command
ldapsearch -H ldap://ldap-xxx.gettripwires.com:389 -D "cn=admin,dc=corp,dc=example" -w password -b "dc=corp,dc=example"LDAP URL
ldap://ldap-xxx.gettripwires.com:389/dc=corp,dc=examplePython (ldap3)
from ldap3 import Server, Connection
server = Server('ldap-xxx.gettripwires.com', port=389)
conn = Connection(server, 'cn=admin,dc=corp,dc=example', 'password')
conn.bind()Java JNDI
Hashtable<String, String> env = new Hashtable<>();
env.put(Context.PROVIDER_URL, "ldap://ldap-xxx.gettripwires.com:389");
env.put(Context.SECURITY_PRINCIPAL, "cn=admin,dc=corp,dc=example");
env.put(Context.SECURITY_CREDENTIALS, "password");Strategic Placement Ideas
Active Directory Configs
Leave as 'backup domain controller' connection in AD integration configs.
SSO/Authentication Settings
Add as 'legacy LDAP server' in single sign-on configuration files.
IT Documentation
Include as 'directory sync service' credentials in IT wikis.