1. Ports
  2. Port 1389

Port 1389: Document Manager (iclpv-dm) — The unprivileged LDAP port

Port 1389 lives in two worlds. Officially, IANA assigns it to "iclpv-dm" (Document Manager). In practice, the Internet knows it as the unprivileged LDAP port—the alternative to port 389 when you need to run a directory server without root access.1

What Port 1389 Is

According to IANA's Service Name and Transport Protocol Port Number Registry, port 1389 is assigned to:

  • Service Name: iclpv-dm
  • Description: Document Manager
  • Transport Protocols: TCP and UDP

Port 1389 falls in the registered ports range (1024-49151). This range contains ports that IANA assigns through a formal process, but which don't require privileged access to bind.2

What Port 1389 Actually Does

Here's where theory meets reality: port 1389 is overwhelmingly used as an alternative LDAP port.

The standard LDAP port is 389. But there's a problem. On Unix-like systems, binding to any port below 1024 requires root privileges. If you want to run an LDAP server as a regular user—or if you're deploying in an environment where you can't get root access—you're stuck.

Port 1389 solves this. Directory servers like ForgeRock Directory Services (formerly OpenDJ), Ping Directory, and others default to port 1389 specifically because it provides LDAP functionality without requiring elevated privileges.3

This creates a strange situation: port 1389's official assignment says one thing, but the overwhelming majority of documentation, firewall rules, and network configurations treat it as the de facto unprivileged LDAP port.

The Privilege Problem

The difference between port 389 and port 1389 is entirely about access:

Port 389 (standard LDAP):

  • Requires root or administrator privileges to bind
  • Requires the server process to start with elevated permissions
  • Traditional, well-known port that firewalls and security tools recognize

Port 1389 (alternative LDAP):

  • Can be bound by regular users without special privileges
  • Allows LDAP servers to run in restricted environments
  • Used in development, containerized deployments, and environments with strict permission models

The line between them is port 1024. Below that threshold, operating systems enforce privilege requirements. Above it, regular users can bind ports freely.4

Why This Matters

Unassigned and alternatively-used ports like 1389 reveal something about how the Internet actually works versus how it's supposed to work.

IANA maintains the registry. Protocols get assigned. RFCs get written. But when port 389 requires permissions that half the deployment scenarios can't provide, the Internet routes around the problem. Port 1389 becomes the solution—not through official decree, but through practical necessity.

This is how protocols evolve. The official assignment may say "Document Manager," but when thousands of LDAP servers bind to 1389 because they have no other choice, the port's real identity is established by usage, not registry.

Security Considerations

If you see traffic on port 1389, it's most likely LDAP running on an unprivileged port. But that creates security implications:

Unencrypted by default — Like port 389, traffic on 1389 is typically unencrypted LDAP unless you've configured LDAPS (LDAP over TLS) or STARTTLS. Credentials and directory queries cross the network in plaintext.

Non-standard port confusion — Security tools and firewalls may not recognize port 1389 as LDAP traffic, making it easier to overlook in security audits or intrusion detection.

Legitimate use is common — Unlike many high-numbered ports that only see traffic during attacks or misconfigurations, port 1389 is legitimately used in production environments. Don't assume it's always suspicious.

If you're running LDAP on port 1389, you should configure TLS. If you're monitoring network traffic and see port 1389 in use, verify whether it's LDAP and whether it's encrypted.

How to Check What's Listening

On Linux or macOS:

sudo lsof -i :1389
# or
sudo netstat -tulpn | grep 1389

On Windows:

netstat -ano | findstr :1389

If you see a process bound to 1389, check whether it's a directory server (OpenDJ, Ping Directory, 389 Directory Server, etc.) or something else entirely.

Related Ports

  • Port 389 — Standard LDAP port (requires privileges)
  • Port 636 — LDAPS (LDAP over TLS/SSL)
  • Port 3268 — Microsoft Active Directory Global Catalog
  • Port 3269 — Global Catalog over SSL

Frequently Asked Questions

Предишна

Port 1388: Objective-dbc — A Registered Port for Legacy Database Software

Следваща

Port 1390: Unassigned — Open space in the registered range

Беше ли полезна тази страница?

😔
🤨
😃