Skip to content

LDAP Honeypot Enterprise Community

The LDAP service emulates a Microsoft Active Directory LDAP server. It responds to anonymous base-object searches and logs bind attempts with credentials.

Configuration

json
"ldap": [
  {
    "port": 389,
    "hostname": "DC01",
    "domain": "corp.local",
    "level": "WinThreshold"
  }
]

Parameters

ParameterTypeDefaultDescription
portinteger389TCP port
hostnamestringDC01DC host name advertised to clients
domainstringcorp.localAD domain FQDN
levelstringWinThresholdDomain functional level (see table below)
serverstring-Legacy. Same as hostname
tldstring-Legacy. Combined with short domain label

On Enterprise, only port and level are set per service; hostname and domain come from the Trapster device identity.

Domain functional levels (level)

ValueWindows Server era
Windows2008Domain2008
Windows2008R2Domain2008 R2
Windows2012Domain2012
Windows2012R2Domain2012 R2
WinThreshold2016+ (default)

Bind and search behavior

Trapster logs bind attempts and directory queries. Simple binds capture username and password where the client sends them. NTLM-based binds capture the client identity; passwords may appear as hashes depending on bind type. Anonymous searches against the directory root are logged as query events.

What gets captured

EventFields
Connection madeSource IP and port
Data sentRaw request payload
Login attemptSimple bind username/password; NTLM identity (DOMAIN\user)
Query receivedAnonymous bind username; search scope and base object