- Knowledge base
- Active Directory management
- Active Directory reports
- Active Directoy integrations
- Active Directory automation
- Active Directory delegation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- AD migration
- Access certification
- Identity risk assessment
- Risk exposure management
- FAQs
- Pricing
- Online demo
- Request support
- Get quote
Every time a user in your organization logs into a corporate application, printer, or VPN, there is a good chance that LDAP is working in the background. For LDAP to work correctly, the right port has to be open, configured, and secured. If you get the port wrong, the authentication breaks. Also, leaving the ports unencrypted means exposing credentials in plaintext across the entire network.
What is LDAP port?
An LDAP port is a network port the client applications use to communicate with an LDAP server. LDAP is the protocol used to read and write in directory services like Active Directory, OpenLDAP, and Oracle Directory Server.
When an application needs to authenticate a user or look up some information in the directory, it sends a query to the LDAP server through a designated port. The server listens on that port, processes the query, and sends back the appropriate response.
LDAP ports follow the standard server-client model. The client initiates a connection, the server responds to it. Whichever port is used decides whether the connection is secure. It decides whether the communication is unencrypted, encrypted via SSL, or upgraded to encrypted via STARTTLS.
LDAP port numbers: The two you need to know
There are two main LDAP port numbers in use: port 389 and port 636.
| Port | Protocol | Encryption | Use case |
|---|---|---|---|
| 389 | LDAP | None (plaintext) or STARTTLS | Standard directory queries and authentication |
| 636 | LDAPS | SSL/TLS (always encrypted) | Secure LDAP communications |
Port 389 is the default LDAP port. The traffic on port 389 is unencrypted by default, though you can upgrade it to an encrypted one with STARTTLS.
Port 636, on the other hand, is for LDAPS, which is LDAP over SSL. The communication through this port is encrypted from the moment the connection is established. TCP is used as the transport protocol by both of them.
What is LDAPS port?
LDAPS stands for LDAP over SSL and is a more secure version of the LDAP protocol. It uses port 636 and covers the entire connection in a TLD session. When a client application connects to port 636, the TLS handshake happens immediately. The LDAP communication takes place only after the encrypted tunnel is established. The data transmitted (like usernames, passwords, and directory information) is never in plaintext.
LDAP port 389 vs. 636: What's the difference?
The discussion around LDAP port 389 vs. 636 often comes down to a single question: Do you need encryption, and when does the encryption begin?
LDAP port 389:
- Connection begins unencrypted
- Can be upgraded mid-session using the STARTTLS extension
- Supported by virtually all LDAP clients and servers
- Still widely used on internal networks, especially for read-only lookups
- If STARTTLS is not enforced, traffic can travel in plaintext
LDAPS port 636:
- Encryption is established at the very start of the connection, before any data is exchanged
- No plaintext phase at any point in the session
- Requires a valid SSL/TLS certificate on the LDAP server
- Preferred for any environment that handles sensitive credentials or complies with compliance regulations like HIPAA, PCI-DSS, or SOC 2
Which should you use?
It is recommended to use LDAPS port 636 whenever possible as it is a more secure choice. It eliminates the risk of a misconfigured or missing STARTTLS update which could leave the credentials exposed. Port 389 with STARTTLS is an acceptable alternative, but it adds the complexity of setting it up, which in turn introduces room for error.
LDAP port for Active Directory
When working with LDAP port for AD, Microsoft uses both the standard LDAP ports and several other additional ports specific to its implementation.
| Port | Purpose |
|---|---|
| 389 | Standard LDAP queries to AD |
| 636 | LDAPS Encrypted LDAP to AD |
| 3268 | Global Catalog LDAP Queries across all domains in a forest |
| 3269 | Global Catalog LDAPS Encrypted queries across all domains |
The last two ports, port 3268 and 3269, are unique to AD. When a client application needs to search across an entire AD forest, and not just a single domain, it connects to the Global Catalog service. This service listens to these ports for any queries.
The ports 389 and 636 will be sufficient for most standards authentication scenarios.
LDAP over SSL port vs STARTTLS
LDAP over SSL port (port 636/LDAPS) and STARTTLS on port 389 are both valid options to secure and encrypt the LDAP traffic. Both these ports work differently, though, and they carry different risk profiles.
| LDAPS (port 636) | STARTTLS (over port 389) | |
|---|---|---|
| When encryption starts | After initial plaintext handshake | Immediately on connection |
| Certificate required | Yes | Yes |
| Supported by AD | Yes | Yes |
| Risk of misconfiguration | Higher | Lower |
| RFC (Request for Comments) preference | Preferred by newer RFCs | Widely used in practice |
Use LDAP over SSL on port 636 if you want the strongest security guarantee with the least configuration complexity. Use STARTTLS on port 389 only if your client base requires it or if your LDAP server vendor specifically recommends it.
Common LDAP port issues and fixes
1. Port 389 connecting but authentication failing:
- Check that the bind distinguished name and password are correct
- Verify that anonymous binding is disabled if it should be
- Confirm the service account has read permissions on the directory
2. Port 636 connection refused:
- Verify that LDAPS is enabled on the server (it is not enabled by default on all servers)
- Check that a valid SSL/TLS certificate is installed and bound to the LDAP service
- Confirm that port 636 is open in the firewall
3. Certificate errors on port 636:
- The client does not trust the certificate authority (CA) that issued the server's certificate
- The certificate has expired
- The certificate's common name (CN) or subject alternative name (SAN) does not match the server's hostname
4. STARTTLS failing on port 389:
- The server does not support STARTTLS
- The client is not configured to require STARTTLS, causing a silent plaintext fallback
- A firewall or proxy is stripping the STARTTLS command
5. Global Catalog not reachable (ports 3268/3269):
- The Global Catalog service is not running on the target domain controller
- Ports 3268/3269 are blocked at the firewall
- The querying account does not have Global Catalog access
Efficiently manage your organization with ADManager Plus
Managing LDAP ports, encryption settings, and AD configurations across a large organization can be error-prone and time consuming. Misconfigured ports can leave credentials exposed and overly permissive service accounts will widen the attack surface. Unencrypted LDAP traffic on port 389 can go unnoticed for months, leading to potential attacks and breaches.
ADManager Plus gives IT teams a centralized console to manage user provisioning, access control, and AD security. Easily enforce least-privilege access, eliminate misconfigurations before they become incidents, and keep an eye on directory permissions.
Start managing and securing your AD the easy way
FAQs
1. How many LDAP connections can a server handle on a single port?
A single port supports thousands of concurrent connections. What limits the connection capacity is the server's hardware (CPU, RAM), the directory service's configured connection limits, and network bandwidth. AD, for example, has the parameters for maximum concurrent LDAP connections per domain controller, separate from the port configuration.
2. Does disabling port 389 and forcing port 636 break anything?
It can, depending on your environment. Legacy applications, older printers, network devices, and some third-party software are often hard-coded to connect on port 389 and have no support for LDAPS. Before disabling port 389 entirely, go through every application and device that authenticates against your directory. Confirm that each one supports port 636, and then migrate them one by one before closing the port.
3. Can two different applications use the same LDAP port simultaneously?
Yes. A port is not exclusively occupied by a single application. Multiple clients can connect to the same port on the same server simultaneously. What cannot happen is two separate services both trying to listen on the same port on the same server. If you try to run two LDAP services on the same machine both bound to port 389, one will fail to start.
4. Does LDAP port 636 require a paid SSL certificate?
No. Free certificates work on port 636 just as well as paid ones. What matters is that the certificate is issued by a CA your clients trust, has not expired, and matches the hostname your clients use to connect. The cost of the certificate has no bearing on the security or functionality of the LDAPS connection.
