Re: LDAPS

["Schoenefeld, Keith" <schoenk () ILLINOIS EDU>]

I wouldn't set up an internal CA either.  Unless one is in a pure Windows
shop, and a single forest at that, the points about machines inherently
trusting the certificate aren't valid.  We run ldaps on our AD
infrastructure with a third party certificate, though we don't use a
wildcard certificate.  We use the altSubjName field to create certificates
for each domain controller, allowing it to respond with both its FQDN and
the the more general domain.  In addition, we have multiple non-windows
specific apps connecting to our ldaps servers (ePolicy Orchestrator is one
that I manage) without a hitch.

I'm all for simplifying service offerings, but I don't understand why one
would be averse to offering ldaps as a companion service to ldap.

-- KS

On 10/21/10 10:58 AM, "Kellogg, Brian D." <bkellogg () SBU EDU> wrote:

> Thanks
>
> We want both to be used without interruption to unsecured LDAP
> access.
>
> I really do not want to set up an internal CA just to issue certs
> to my DCs in order to get one piece of software to function.  Eric Lukens
> made some good points that made me think twice about using a third party
> cert.  I hate adding complexity to a well running system for little or no
> reason.
>
> We  may be looking for another product to fulfill our
> needs.  Bummer, their pricing was excellent.
>
>
> Thanks,
> Brian
>
>
> From: The EDUCAUSE
> Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On
> Behalf Of Bryan Fleming
> Sent: Thursday, October 21, 2010 11:47 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] LDAPS
>
>
> If you want to only allow port
> 636 to be used, you could always use the Windows Firewall to block
> traffic for
> any requests going to port 389 and that should solve that issue.
> On Thu, Oct 21, 2010 at 10:40 AM, Chris Green <cmgreen () uab edu> wrote:
> If
> I recall, you can turn on LDAPS but turning off LDAP was impossible.
>  For us, we have that off on one server and can rotate the
> role.  I don¹t recall why it was a one-off server but it was
> something we may have had to do either WC certs or load balancing for.
>
> Better
> to ask this question on win-hied mailing list and get real gurus ;-)
>
> From: The
> EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU]
> On Behalf Of Childs, Aaron
> Sent: Thursday, October 21, 2010 9:30 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] LDAPS
>
>
>
> We enabled Secure LDAP two years ago on our 2003 R2 DCs
> and it does not break anything. It just listens on a different port (636)
> for
> secure traffic.  We did not use a wildcard cert.
>
> Have a good day,
> Aaron
>
> -----------
> Aaron Childs, CCNA
> Assistant Director: Networking
> Westfield State University
> http://www.wsc.ma.edu/it/
>
>
> From: The
> EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU]
> On Behalf Of Kellogg, Brian D.
> Sent: Thursday, October 21, 2010 10:19 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] LDAPS
>
>
>
> We
> have a product we are looking to use but it requires a secure LDAP
> connection
> to our Win2003R2 domain.  I have very little experience with LDAPS so
> below are a couple questions I have for anyone who has more experience
> than I
> with this.  I have read the MS requirements to implement this.
>
> Will
> enabling secure LDAP break anything?  We have a lot of other LDAP stuff
> going on that does not require LDAPS.
> Has
> anyone used a wildcard cert to enable secure LDAP on Windows 2003R2 DCs?
>
>
> Thanks,
> Brian
>
>
>
>
>
>
> -- 
> Sincerely,
>
> Bryan Fleming
> Sr. Linux Engineer
> bdflemin () oakland edu
> www.oakland.edu/uts <http://www.oakland.edu/uts>