Solved

SSL/TSL Configuration to encrypt LDAP queries from *nix.

Posted on 2006-11-27
12
545 Views
Last Modified: 2013-12-04
Hello,

I have a FreeBSD server with OpenLDAP and SASL installed and wanted to encrypt LDAP queries from FreeBSD to my Windows 2K3 domain controller.  Has anyone configured their DC with SSL/TSL to perform this task, and if so, could you provide a How To?

Your help is greatly appreciated.

Regards,

Dave
0
Comment
Question by:uxphreak
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 18024314
I think your life would be much easier if you tried to submit the queries over kerberos rather than SSL/TLS.  Active Directory DCs use kerberos to submit and answer queries.

/F
0
 

Author Comment

by:uxphreak
ID: 18025267
F,

What would I need to do to utilize Kerberos?  Will Kerberos alone keep my LDAP queries secure?

Thanks,

Dave
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 18027149
I am not that sure with FreeBSD, but in Linux the kerberos components are usually installed.  The tricky part is the difference in the LDAP providers.  Microsoft's LDAP, and OpenLDAP are different in their implementations.

/F
0
 

Author Comment

by:uxphreak
ID: 18029849
F,

I am able to perform a query from FreeBSD to AD using the following:

ldapsearch -LLL -b "<DN>" -Z -D "<BindDN>" -w "<BindDNPassword>"

-Z makes ldapsearch ecrypt the query with TLS.  To test this I removed the cert entry in ldap.conf of OpenLDAP and ran the above command and it would not bind because the cert was not referenced in OpenLDAP.  Once I re-added the cert entry in ldap.conf the command worked fine.

My next question is, now that my query is encrypted with TLS between FreeBSD and AD, should I be concerned with anyone "evesdroping" on the query?  Is TLS all I need to secure the query between FreeBSD and AD?

Thanks,

Dave
0
 
LVL 3

Accepted Solution

by:
Manish Naik earned 250 total points
ID: 18612388
Hi,

I guess the best you can have is 128 Bit.  Once specified minssf=128, all queries will work with the best. I guess nobody can evasdrop on the query as even today many of the ecommerce and payment enabled sites are still on 128 Bit without any probles of Man in the Middle or evasdropping as you say.

The question if TLS is all that you need to secure the query is answered above.  Once the query travels, encrypted on the wire, even if somebody evasdrops, its as good as getting junk.

Hope you have set all queries to 128 Bit in your ldap.conf.

Regards
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 27

Expert Comment

by:Jason Watkins
ID: 18612494
Yes, I would assume that you are find as long as you understand the actual traffic is not encrypted, just the end-points.

/F
0
 
LVL 3

Expert Comment

by:Manish Naik
ID: 18612556
Hi,
Yep, but even then the content is safe within the traffic, right ?  TLS does protect against man-in-the-middle which is what uxphreak is afraid of I suppose.
Regards
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 250 total points
ID: 18612627
Technically no, if someone were to catch and hack the authentication sequence, a MitM attack could happen.  The chances of that occurring are so remote, I have trouble writing it...

/F
0
 
LVL 3

Expert Comment

by:Manish Naik
ID: 18612811
Hi,

http://en.wikipedia.org/wiki/Transport_Layer_Security

As I understand even the "Master Secret" is encrypted using the public key when it travels the network which makes it a little infeasible to attack.  

The only possible way to is to hijack the entire session and masquarade as a client from the initiation of the sequence.

Just debating to get better understanding.

Regards
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 18612997
I understand, but it is safer to proceed under the premonition that nothing is hack-proof.

You are asking for a definitive answer to a question that does not have one.  The US govt. has stuff that can peek right inside of a VPN and anything using TLS.  I think the author is safe from 99% of the hacks out there with this solution.  More than likely any attack would have to come from inside the network...

/F
0
 
LVL 1

Expert Comment

by:Computer101
ID: 21101083
Forced accept.

Computer101
EE Admin
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now