LDAP Network Traffic

This section describes network traffic occuring during a simple conversation over LDAP protocol. To generate such traffic I have written a small VB application (App/VbGetAllUserMailboxes) that may be used to retrieve a list of Exchange mailboxes assigned to a specific user account. A mailbox may be associated with a user account by using the general configuration page of the mailbox in Exchange Administrator (its Primary Windows NT Account... button).

VbGetAllUserMailboxes application.

It is possibble to assign several mailboxes to one user. For example, I had 7 mailboxes on one of the development machines. The result of the execution is shown in the figure below.

The result of VbGetAllUserMailboxes execution.

The code for the application is presented below.

Option Explicit

Private Sub GetAllUserMailboxes_Click()

  Dim sid As New ADsSID
  Dim strDomain As String
  Dim strAccount As String
  Dim strServer As String
  Dim sidHex As String
    
  strDomain = Domain.Text
  strAccount = Account.Text
  strServer = Server.Text
  
  'Get SID
  sid.SetAs ADS_SID_WINNT_PATH, "WinNT://" & strDomain & "/" & strAccount & ",user"
  
  'Get Hex string representation of a SID
  sidHex = sid.GetAs(ADS_SID_HEXSTRING)
  
  
  Dim objADOconn As ADODB.Connection ' ADO connection object
  Dim strADOQueryString As String    ' ADO query string
  Dim objRS As ADODB.Recordset       ' Recordset object
  
  Set objADOconn = CreateObject("ADODB.Connection")
  objADOconn.Provider = "ADSDSOObject"
  objADOconn.Open "ADs Provider"
  
  'Format query string
  strADOQueryString = "<LDAP://" & strServer & _
    ">;(&(objectClass=organizationalPerson)(Assoc-NT-Account=" _
    + sidHex + "));cn,adspath;subtree"

  'Execute query
  Dim strMailboxes As String
  
  Set objRS = objADOconn.Execute(strADOQueryString)
  If Not objRS.EOF Then
    While Not objRS.EOF
      strMailboxes = strMailboxes & objRS.Fields(1).Value & vbCrLf
      objRS.MoveNext
    Wend
    MsgBox "Mailboxes found: " & vbCrLf & vbCrLf & strMailboxes
  Else
    MsgBox "No mailboxes found..."
  End If
  objRS.Close
   
  'Set objects to Nothing
  Set objRS = Nothing
  Set objADOconn = Nothing
End Sub

The network traffic capture file is named LdapTraffic.cap. It may be found in in App\NetMonCaptures directory. Let us examine the capture. I'll try to analize individual frames where possible.

The entire traffic happens on 1 socket and uses 24 frames. Compare it with 232 frames for CDO traffic covered in the privious section. It's about 1/10th of that. The individual frames are:

Frames 1-3. Creation of a new socket 2011-389.
Frame 4. LDAP search request.
Frame 5. LDAP search response. This frames returns naming contexts for the server.
Frame 6. LDAP bind request.
Frame 7. LDAP bind result. This frames tells client that the server requires NTLM authentication.
Frames 8-11. LDAP bind with NTLM authentication. Frame 8 is authentication request, frame 9 is a challenge, frame 10 is the client response, frame 11 is an okay from the server.
Frame 12 is an LDAP search request (Filter: (objectClass=*), Attribute: objectClass). This is a query for an object class for the top-level object.
Frame 13 is an LDAP search response (the result is: organization, Top).
Frame 14 is an LDAP search request for the modifyTimeStamp attribute of the object cn=Aggregate,cn=Schema,cn=Configuration,ou=Taz,o=Infowave.
Frame 15 is a reply to it.
Frame 17 is the most interesting. It is an LDAP search request. This time the entire subtree is searched for all objects of class organizationalPerson, having Assoc-NT-Account attribute equal to a specific binary value (which is actually my account SID).
Frame 18 returns all 7 mailboxes back.
Frame 20 is an LDAP unbind request.
Frames 21-24 terminate the socket.

Frame 18 of the captured LDAP traffic.