Opendirectoryd generating inbound traffic ?

Question

Created Jul ’21

Replies 2

Boosts 0

Views 1.2k

Participants 2

I have developed a Content Filter NE and I am seeing some flows that I don't understand so I wanted to see check if I am interpreting them correctly.

# Example Flow
bundle id: com.apple.opendirectoryd
localEndpoint.hostname: My mac's IP
localEndpoint.port: 55408
remoteEndpoint.hostname: Domain controller IP
remoteEndpoint.port: 389
direction: inbound

Looking at that flow what I understand is that the Domain Controller is generating traffic to my mac. Is this correct? I ask this because I thought DCs couldn't directly initiate a connection to a mac. I get this flow when trying to join my mac to the AD.

Answered by Systems Engineer in 683301022

Given that the direction is inbound I asume the source of the traffic is the remoteEndpoint. Correct?

Yes.

I suspect this is a completely normal interaction but I would have to go look at the protocol specification again to know for sure.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Boost

Answer 1

Systems Engineer OP

Apple

Jul ’21

Looking at that flow what I understand is that the Domain Controller is generating traffic to my mac. Is this correct? I ask this because I thought DCs couldn't directly initiate a connection to a mac. I get this flow when trying to join my mac to the AD.

Right, based on the fact that this flow originates from com.apple.opendirectoryd and port 389 is in use here I suspect there is an LDAP operation taking place here. As to the inbound side of this, I would checkout the authentication flow back and forth between your machine and the domain controller, but is this taking place in handleInboundDataFromFlow or directly in handleNewFlow?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2