LDAPS
What is Port 636?
Port 636 is used for LDAP over SSL/TLS (LDAPS), the encrypted version of the Lightweight Directory Access Protocol. Unlike LDAP on port 389, LDAPS establishes a TLS-encrypted connection before any LDAP communication begins, ensuring all directory queries, authentication attempts, and data transfers are protected from eavesdropping. LDAPS was the original method for securing LDAP before STARTTLS was introduced on port 389. Microsoft Active Directory, OpenLDAP, and other directory services support LDAPS on port 636. LDAPS requires a valid TLS certificate on the directory server. While Microsoft has pushed for LDAP Channel Binding and LDAP Signing as additional security measures, LDAPS remains the most straightforward way to ensure all LDAP traffic is encrypted.
Common Uses
- Secure Active Directory authentication and queries
- Encrypted directory lookups for user management
- Secure LDAP integration for applications (VPN, Wi-Fi)
- Compliance-mandated encrypted directory access
Technical Details
Copy-paste commands to check port 636 (LDAPS) from your terminal
Test connectivity
nc -zv example.com 636
curl -v --max-time 5 http://example.com:636/
telnet example.com 636
nmap -p 636 -sV example.com
(echo > /dev/tcp/example.com/636) 2>/dev/null && echo "open" || echo "closed"
Open port in firewall
sudo ufw allow 636/tcp
sudo iptables -A INPUT -p tcp --dport 636 -j ACCEPT
sudo firewall-cmd --permanent --add-port=636/tcp && sudo firewall-cmd --reload
Security Considerations
LDAPS provides transport encryption but the directory's access controls still need proper configuration. Ensure certificates are valid and issued by a trusted CA. Implement proper TLS versions (1.2+) and cipher suites. Monitor for failed bind attempts that may indicate brute force attacks. Consider also enabling LDAP Channel Binding for additional protection against relay attacks.
Popular Ports Reference
The most commonly used and referenced network ports