Educause Security Discussion mailing list archives
Re: LDAPS
From: "Kellogg, Brian D." <bkellogg () SBU EDU>
Date: Thu, 21 Oct 2010 11:58:53 -0400
Thanks We want both to be used without interruption to unsecured LDAP access. I really do not want to set up an internal CA just to issue certs to my DCs in order to get one piece of software to function. Eric Lukens made some good points that made me think twice about using a third party cert. I hate adding complexity to a well running system for little or no reason. We may be looking for another product to fulfill our needs. Bummer, their pricing was excellent. Thanks, Brian From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bryan Fleming Sent: Thursday, October 21, 2010 11:47 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] LDAPS If you want to only allow port 636 to be used, you could always use the Windows Firewall to block traffic for any requests going to port 389 and that should solve that issue. On Thu, Oct 21, 2010 at 10:40 AM, Chris Green <cmgreen () uab edu<mailto:cmgreen () uab edu>> wrote: If I recall, you can turn on LDAPS but turning off LDAP was impossible. For us, we have that off on one server and can rotate the role. I don't recall why it was a one-off server but it was something we may have had to do either WC certs or load balancing for. Better to ask this question on win-hied mailing list and get real gurus ;-) From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Childs, Aaron Sent: Thursday, October 21, 2010 9:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] LDAPS We enabled Secure LDAP two years ago on our 2003 R2 DCs and it does not break anything. It just listens on a different port (636) for secure traffic. We did not use a wildcard cert. Have a good day, Aaron ----------- Aaron Childs, CCNA Assistant Director: Networking Westfield State University http://www.wsc.ma.edu/it/ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Kellogg, Brian D. Sent: Thursday, October 21, 2010 10:19 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] LDAPS We have a product we are looking to use but it requires a secure LDAP connection to our Win2003R2 domain. I have very little experience with LDAPS so below are a couple questions I have for anyone who has more experience than I with this. I have read the MS requirements to implement this. Will enabling secure LDAP break anything? We have a lot of other LDAP stuff going on that does not require LDAPS. Has anyone used a wildcard cert to enable secure LDAP on Windows 2003R2 DCs? Thanks, Brian -- Sincerely, Bryan Fleming Sr. Linux Engineer bdflemin () oakland edu<mailto:bdflemin () oakland edu> www.oakland.edu/uts<http://www.oakland.edu/uts>