Solved

SSL/TSL Configuration to encrypt LDAP queries from *nix.

Posted on 2006-11-27
12
543 Views
Last Modified: 2013-12-04
Hello,

I have a FreeBSD server with OpenLDAP and SASL installed and wanted to encrypt LDAP queries from FreeBSD to my Windows 2K3 domain controller.  Has anyone configured their DC with SSL/TSL to perform this task, and if so, could you provide a How To?

Your help is greatly appreciated.

Regards,

Dave
0
Comment
Question by:uxphreak
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
I think your life would be much easier if you tried to submit the queries over kerberos rather than SSL/TLS.  Active Directory DCs use kerberos to submit and answer queries.

/F
0
 

Author Comment

by:uxphreak
Comment Utility
F,

What would I need to do to utilize Kerberos?  Will Kerberos alone keep my LDAP queries secure?

Thanks,

Dave
0
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
I am not that sure with FreeBSD, but in Linux the kerberos components are usually installed.  The tricky part is the difference in the LDAP providers.  Microsoft's LDAP, and OpenLDAP are different in their implementations.

/F
0
 

Author Comment

by:uxphreak
Comment Utility
F,

I am able to perform a query from FreeBSD to AD using the following:

ldapsearch -LLL -b "<DN>" -Z -D "<BindDN>" -w "<BindDNPassword>"

-Z makes ldapsearch ecrypt the query with TLS.  To test this I removed the cert entry in ldap.conf of OpenLDAP and ran the above command and it would not bind because the cert was not referenced in OpenLDAP.  Once I re-added the cert entry in ldap.conf the command worked fine.

My next question is, now that my query is encrypted with TLS between FreeBSD and AD, should I be concerned with anyone "evesdroping" on the query?  Is TLS all I need to secure the query between FreeBSD and AD?

Thanks,

Dave
0
 
LVL 3

Accepted Solution

by:
Manish Naik earned 250 total points
Comment Utility
Hi,

I guess the best you can have is 128 Bit.  Once specified minssf=128, all queries will work with the best. I guess nobody can evasdrop on the query as even today many of the ecommerce and payment enabled sites are still on 128 Bit without any probles of Man in the Middle or evasdropping as you say.

The question if TLS is all that you need to secure the query is answered above.  Once the query travels, encrypted on the wire, even if somebody evasdrops, its as good as getting junk.

Hope you have set all queries to 128 Bit in your ldap.conf.

Regards
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
Yes, I would assume that you are find as long as you understand the actual traffic is not encrypted, just the end-points.

/F
0
 
LVL 3

Expert Comment

by:Manish Naik
Comment Utility
Hi,
Yep, but even then the content is safe within the traffic, right ?  TLS does protect against man-in-the-middle which is what uxphreak is afraid of I suppose.
Regards
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 250 total points
Comment Utility
Technically no, if someone were to catch and hack the authentication sequence, a MitM attack could happen.  The chances of that occurring are so remote, I have trouble writing it...

/F
0
 
LVL 3

Expert Comment

by:Manish Naik
Comment Utility
Hi,

http://en.wikipedia.org/wiki/Transport_Layer_Security

As I understand even the "Master Secret" is encrypted using the public key when it travels the network which makes it a little infeasible to attack.  

The only possible way to is to hijack the entire session and masquarade as a client from the initiation of the sequence.

Just debating to get better understanding.

Regards
0
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
I understand, but it is safer to proceed under the premonition that nothing is hack-proof.

You are asking for a definitive answer to a question that does not have one.  The US govt. has stuff that can peek right inside of a VPN and anything using TLS.  I think the author is safe from 99% of the hacks out there with this solution.  More than likely any attack would have to come from inside the network...

/F
0
 
LVL 1

Expert Comment

by:Computer101
Comment Utility
Forced accept.

Computer101
EE Admin
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now