Educause Security Discussion mailing list archives
Re: LDAPS
From: Bryan Fleming <bdflemin () OAKLAND EDU>
Date: Thu, 21 Oct 2010 13:19:02 -0400
Hey Brian, I can't help you directly with this problem as we don't use Active Directory for our LDAP service but we do have a wildcard cert in place for all of our websites and I will be placing LDAPS to authenticate to our Linux boxes really soon. To answer your questions: Q: Will enabling LDAPS break anything? A: It shouldn't as long as you leave port 389 open, you shouldn't break anything. You can have both LDAP and LDAPS open at the same time since LDAPS just opens up another port to allow that traffic in (port 636). Q: Has anyone used a wildcard cert to enable LDAPS on Windows 2003R2 DCs? A: I have not and we probably won't for Windows but on my RHEL servers, I will be trying very soon as it should be doable (need to make some changes on the server's ldap.conf file and insert the necessary certificates for it to work). Wish I could be more help for the Windows side but what should work on my area should probably work for Windows. Also, maybe I missed something but why the dislike for non-self signed certs? I don't see why getting a Verisign cert is less secure then a self signed cert. I do see the benefit of using a self-signed cert for internal uses only as long as you have a CA involved but getting a cert from a trusted cert provider means it will work for internal and external uses. Please update me on this as I would like to know. On Thu, Oct 21, 2010 at 11:58 AM, Kellogg, Brian D. <bkellogg () sbu edu>wrote:
Thanks We want both to be used without interruption to unsecured LDAP access. I really do not want to set up an internal CA just to issue certs to my DCs in order to get one piece of software to function. Eric Lukens made some good points that made me think twice about using a third party cert. I hate adding complexity to a well running system for little or no reason. We may be looking for another product to fulfill our needs. Bummer, their pricing was excellent. Thanks, Brian *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Bryan Fleming *Sent:* Thursday, October 21, 2010 11:47 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] LDAPS If you want to only allow port 636 to be used, you could always use the Windows Firewall to block traffic for any requests going to port 389 and that should solve that issue. On Thu, Oct 21, 2010 at 10:40 AM, Chris Green <cmgreen () uab edu> wrote: If I recall, you can turn on LDAPS but turning off LDAP was impossible. For us, we have that off on one server and can rotate the role. I don’t recall why it was a one-off server but it was something we may have had to do either WC certs or load balancing for. Better to ask this question on win-hied mailing list and get real gurus ;-) *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Childs, Aaron *Sent:* Thursday, October 21, 2010 9:30 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] LDAPS We enabled Secure LDAP two years ago on our 2003 R2 DCs and it does not break anything. It just listens on a different port (636) for secure traffic. We did not use a wildcard cert. Have a good day, Aaron ----------- Aaron Childs, CCNA Assistant Director: Networking Westfield State University http://www.wsc.ma.edu/it/ *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Kellogg, Brian D. *Sent:* Thursday, October 21, 2010 10:19 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] LDAPS We have a product we are looking to use but it requires a secure LDAP connection to our Win2003R2 domain. I have very little experience with LDAPS so below are a couple questions I have for anyone who has more experience than I with this. I have read the MS requirements to implement this. Will enabling secure LDAP break anything? We have a lot of other LDAP stuff going on that does not require LDAPS. Has anyone used a wildcard cert to enable secure LDAP on Windows 2003R2 DCs? Thanks, Brian -- Sincerely, Bryan Fleming Sr. Linux Engineer bdflemin () oakland edu www.oakland.edu/uts
-- Sincerely, Bryan Fleming Sr. Linux Engineer bdflemin () oakland edu www.oakland.edu/uts