Question on LDAP

asked 2023-03-08 17:06:51 +0000

wwwillster07 gravatar image

This isn't for a particular problem, just an observation that I had I'm not quite able wrap my head around.

I was given a pcap with a display filter only showing "ldap" and one after another you see the binds, the SASL packets the unbind, just a textbook example of request after request being answered without issue. All on 389.

The destination is an active directory server, the PDC in fact. I wouldn't think anything of it except if you RDP into the windows source box and do a netstat, there's no 389 connection to that domain controller, the only 389 connections are to the other DC at the location.

Why the discrepancy?

edit retag flag offensive close merge delete