LDAP with Nmap is one of those quiet, sharp tools that can reveal more than you expect. Lightweight Directory Access Protocol (LDAP) is everywhere in corporate networks — storing identities, authenticating users, and tying systems together. Nmap brings precision to discovering and interrogating it. Together, they can expose the surface area of something meant to stay hidden.
Finding LDAP services with Nmap starts with knowing what to look for. The default port is 389 for unencrypted traffic and 636 for LDAPS over SSL/TLS. A simple scan like:
nmap -p 389,636 --script ldap* <target>
will attempt to locate services and, if possible, gather information. The ldap-search NSE script in Nmap can query exposed directories, capturing data such as naming contexts, supported authentication methods, and even user or group entries if anonymous binds are enabled.
LDAP often runs on internal domains, but when it’s reachable from external networks, it’s a risk vector. Enumeration can happen fast, and misconfigured servers may return sensitive organizational data without authentication. That is why aligning network segmentation with access controls is critical.
Effective LDAP reconnaissance with Nmap means understanding the nuances of the protocol. Beyond simple port detection, inspecting SSL/TLS support, searching for default binds, and checking schema exposure all matter. Small details — like whether a server leaks its naming contexts — can map your domain structure to an attacker.
Security assessments should include active scans on known and unknown network ranges. Automating these scans with scheduled jobs ensures that changes to your LDAP exposure don’t slip by unnoticed. Every new service, every configurational drift, can be caught before it becomes an incident.
The most secure LDAP service is the one you control and monitor. When inspection can happen in seconds, every second counts. See it live in minutes with hoop.dev — discover, scan, and understand your network surface before someone else does.