Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: Re: [SECURITY] LDAPS

From: "Eric C. Lukens" <eric.lukens () UNI EDU>
Date: Thu, 21 Oct 2010 11:44:29 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I realized I had only replied to Brian and not the list, so I've
forwarded the message I sent him.

- -Eric
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iEYEARECAAYFAkzAbewACgkQN+w4PqsMNp2xpgCcDvoZt2PmREpCL93XhPP3oEiF
UXkAn2OOKKjF3WhLCKTCEDfu6t4wBUJP
=Q3np
-----END PGP SIGNATURE-----
--- Begin Message --- From: "Eric C. Lukens" <eric.lukens () uni edu>
Date: Thu, 21 Oct 2010 09:54:22 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My opinions are below.

- -------- Original Message --------
Subject: [SECURITY] LDAPS
From: Kellogg, Brian D. <bkellogg () SBU EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Date: 10/21/2010 9:18 AM


We have a product we are looking to use but it requires a secure LDAP
connection to our Win2003R2 domain.  I have very little experience with
LDAPS so below are a couple questions I have for anyone who has more
experience than I with this.  I have read the MS requirements to
implement this.

 

Will enabling secure LDAP break anything?  We have a lot of other LDAP
stuff going on that does not require LDAPS.

Not unless you (or the guide you follow to implement LDAPS) wants to
block LDAP.  Once the cert gets installed on the DCs, the Windows
machines will all get the cert and just switch over to LDAPS.



Has anyone used a wildcard cert to enable secure LDAP on Windows 2003R2 DCs?

We haven't tried that, but I wouldn't recommend it either.  If it were
up to me, I'd use a self-signed cert instead so you don't have to change
it out each time the cert expires.  Since the machines are part of a
domain, they'll all trust the cert handed to them by the DC implicitly
anyway, regardless of who or what signed it (unless you've made some
crazy changes to your domain).  Most (all?) of the products I've
encountered do not authenticate the root and intermediates of an LDAPS
cert anyway, and even if they did, you can still manually approve or add
it to the certificate store.



 

 

Thanks,

Brian



- -- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAkzAVB4ACgkQN+w4PqsMNp13pQCgisi1cdeykm29J/mbLOvQR+qC
D/8AmJQVX6TOPxh5EC+TMYoRBTmGFxc=
=PuEZ
-----END PGP SIGNATURE-----

--- End Message ---
Previous By Date Next
Previous By Thread Next

Current thread: