Educause Security Discussion mailing list archives

Re: LDAPS

From: "Kellogg, Brian D." <bkellogg () SBU EDU>
Date: Thu, 21 Oct 2010 11:58:53 -0400

Thanks

We want both to be used without interruption to unsecured LDAP access.

I really do not want to set up an internal CA just to issue certs to my DCs in order to get one piece of software to 
function.  Eric Lukens made some good points that made me think twice about using a third party cert.  I hate adding 
complexity to a well running system for little or no reason.

We  may be looking for another product to fulfill our needs.  Bummer, their pricing was excellent.


Thanks,
Brian


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bryan 
Fleming
Sent: Thursday, October 21, 2010 11:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] LDAPS

If you want to only allow port 636 to be used, you could always use the Windows Firewall to block traffic for any 
requests going to port 389 and that should solve that issue.
On Thu, Oct 21, 2010 at 10:40 AM, Chris Green <cmgreen () uab edu<mailto:cmgreen () uab edu>> wrote:
If I recall, you can turn on LDAPS but turning off LDAP was impossible.   For us, we have that off on one server and 
can rotate the role.  I don't recall why it was a one-off server but it was something we may have had to do either WC 
certs or load balancing for.

Better to ask this question on win-hied mailing list and get real gurus ;-)

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Childs, Aaron
Sent: Thursday, October 21, 2010 9:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] LDAPS

We enabled Secure LDAP two years ago on our 2003 R2 DCs and it does not break anything. It just listens on a different 
port (636) for secure traffic.  We did not use a wildcard cert.

Have a good day,
Aaron

-----------
Aaron Childs, CCNA
Assistant Director: Networking
Westfield State University
http://www.wsc.ma.edu/it/

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Kellogg, Brian D.
Sent: Thursday, October 21, 2010 10:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] LDAPS

We have a product we are looking to use but it requires a secure LDAP connection to our Win2003R2 domain.  I have very 
little experience with LDAPS so below are a couple questions I have for anyone who has more experience than I with 
this.  I have read the MS requirements to implement this.

Will enabling secure LDAP break anything?  We have a lot of other LDAP stuff going on that does not require LDAPS.
Has anyone used a wildcard cert to enable secure LDAP on Windows 2003R2 DCs?


Thanks,
Brian



--
Sincerely,

Bryan Fleming
Sr. Linux Engineer
bdflemin () oakland edu<mailto:bdflemin () oakland edu>
www.oakland.edu/uts<http://www.oakland.edu/uts>

Current thread:

LDAPS Kellogg, Brian D. (Oct 21)
- Re: LDAPS Childs, Aaron (Oct 21)
  - Re: LDAPS Chris Green (Oct 21)
    - Re: LDAPS Bryan Fleming (Oct 21)
    - Re: LDAPS Kellogg, Brian D. (Oct 21)
    - Re: LDAPS Bryan Fleming (Oct 21)
    - Re: LDAPS Schoenefeld, Keith (Oct 25)