Educause Security Discussion mailing list archives
Fwd: Re: [SECURITY] LDAPS
From: "Eric C. Lukens" <eric.lukens () UNI EDU>
Date: Thu, 21 Oct 2010 11:44:29 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I realized I had only replied to Brian and not the list, so I've forwarded the message I sent him. - -Eric -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzAbewACgkQN+w4PqsMNp2xpgCcDvoZt2PmREpCL93XhPP3oEiF UXkAn2OOKKjF3WhLCKTCEDfu6t4wBUJP =Q3np -----END PGP SIGNATURE-----
--- Begin Message --- From: "Eric C. Lukens" <eric.lukens () uni edu>
Date: Thu, 21 Oct 2010 09:54:22 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My opinions are below. - -------- Original Message -------- Subject: [SECURITY] LDAPS From: Kellogg, Brian D. <bkellogg () SBU EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 10/21/2010 9:18 AMWe have a product we are looking to use but it requires a secure LDAP connection to our Win2003R2 domain. I have very little experience with LDAPS so below are a couple questions I have for anyone who has more experience than I with this. I have read the MS requirements to implement this. Will enabling secure LDAP break anything? We have a lot of other LDAP stuff going on that does not require LDAPS.Not unless you (or the guide you follow to implement LDAPS) wants to block LDAP. Once the cert gets installed on the DCs, the Windows machines will all get the cert and just switch over to LDAPS.Has anyone used a wildcard cert to enable secure LDAP on Windows 2003R2 DCs?We haven't tried that, but I wouldn't recommend it either. If it were up to me, I'd use a self-signed cert instead so you don't have to change it out each time the cert expires. Since the machines are part of a domain, they'll all trust the cert handed to them by the DC implicitly anyway, regardless of who or what signed it (unless you've made some crazy changes to your domain). Most (all?) of the products I've encountered do not authenticate the root and intermediates of an LDAPS cert anyway, and even if they did, you can still manually approve or add it to the certificate store.Thanks, Brian- -- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ http://weblogs.uni.edu/elukens/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAkzAVB4ACgkQN+w4PqsMNp13pQCgisi1cdeykm29J/mbLOvQR+qC D/8AmJQVX6TOPxh5EC+TMYoRBTmGFxc= =PuEZ -----END PGP SIGNATURE-----
--- End Message ---
Current thread:
- Fwd: Re: [SECURITY] LDAPS Eric C. Lukens (Oct 21)