LDAP Honeypot Enterprise Community
The LDAP service emulates a Microsoft Active Directory LDAP server. It responds to anonymous base-object searches and logs bind attempts with credentials.
Configuration
json
"ldap": [
{
"port": 389,
"hostname": "DC01",
"domain": "corp.local",
"level": "WinThreshold"
}
]Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
port | integer | 389 | TCP port |
hostname | string | DC01 | DC host name advertised to clients |
domain | string | corp.local | AD domain FQDN |
level | string | WinThreshold | Domain functional level (see table below) |
server | string | - | Legacy. Same as hostname |
tld | string | - | Legacy. Combined with short domain label |
On Enterprise, only port and level are set per service; hostname and domain come from the Trapster device identity.
Domain functional levels (level)
| Value | Windows Server era |
|---|---|
Windows2008Domain | 2008 |
Windows2008R2Domain | 2008 R2 |
Windows2012Domain | 2012 |
Windows2012R2Domain | 2012 R2 |
WinThreshold | 2016+ (default) |
Bind and search behavior
Trapster logs bind attempts and directory queries. Simple binds capture username and password where the client sends them. NTLM-based binds capture the client identity; passwords may appear as hashes depending on bind type. Anonymous searches against the directory root are logged as query events.
What gets captured
| Event | Fields |
|---|---|
| Connection made | Source IP and port |
| Data sent | Raw request payload |
| Login attempt | Simple bind username/password; NTLM identity (DOMAIN\user) |
| Query received | Anonymous bind username; search scope and base object |
