Solved

SSL/TSL Configuration to encrypt LDAP queries from *nix.

Posted on 2006-11-27
12
550 Views
Last Modified: 2013-12-04
Hello,

I have a FreeBSD server with OpenLDAP and SASL installed and wanted to encrypt LDAP queries from FreeBSD to my Windows 2K3 domain controller.  Has anyone configured their DC with SSL/TSL to perform this task, and if so, could you provide a How To?

Your help is greatly appreciated.

Regards,

Dave
0
Comment
Question by:uxphreak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 18024314
I think your life would be much easier if you tried to submit the queries over kerberos rather than SSL/TLS.  Active Directory DCs use kerberos to submit and answer queries.

/F
0
 

Author Comment

by:uxphreak
ID: 18025267
F,

What would I need to do to utilize Kerberos?  Will Kerberos alone keep my LDAP queries secure?

Thanks,

Dave
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 18027149
I am not that sure with FreeBSD, but in Linux the kerberos components are usually installed.  The tricky part is the difference in the LDAP providers.  Microsoft's LDAP, and OpenLDAP are different in their implementations.

/F
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:uxphreak
ID: 18029849
F,

I am able to perform a query from FreeBSD to AD using the following:

ldapsearch -LLL -b "<DN>" -Z -D "<BindDN>" -w "<BindDNPassword>"

-Z makes ldapsearch ecrypt the query with TLS.  To test this I removed the cert entry in ldap.conf of OpenLDAP and ran the above command and it would not bind because the cert was not referenced in OpenLDAP.  Once I re-added the cert entry in ldap.conf the command worked fine.

My next question is, now that my query is encrypted with TLS between FreeBSD and AD, should I be concerned with anyone "evesdroping" on the query?  Is TLS all I need to secure the query between FreeBSD and AD?

Thanks,

Dave
0
 
LVL 3

Accepted Solution

by:
Manish Naik earned 250 total points
ID: 18612388
Hi,

I guess the best you can have is 128 Bit.  Once specified minssf=128, all queries will work with the best. I guess nobody can evasdrop on the query as even today many of the ecommerce and payment enabled sites are still on 128 Bit without any probles of Man in the Middle or evasdropping as you say.

The question if TLS is all that you need to secure the query is answered above.  Once the query travels, encrypted on the wire, even if somebody evasdrops, its as good as getting junk.

Hope you have set all queries to 128 Bit in your ldap.conf.

Regards
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 18612494
Yes, I would assume that you are find as long as you understand the actual traffic is not encrypted, just the end-points.

/F
0
 
LVL 3

Expert Comment

by:Manish Naik
ID: 18612556
Hi,
Yep, but even then the content is safe within the traffic, right ?  TLS does protect against man-in-the-middle which is what uxphreak is afraid of I suppose.
Regards
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 250 total points
ID: 18612627
Technically no, if someone were to catch and hack the authentication sequence, a MitM attack could happen.  The chances of that occurring are so remote, I have trouble writing it...

/F
0
 
LVL 3

Expert Comment

by:Manish Naik
ID: 18612811
Hi,

http://en.wikipedia.org/wiki/Transport_Layer_Security

As I understand even the "Master Secret" is encrypted using the public key when it travels the network which makes it a little infeasible to attack.  

The only possible way to is to hijack the entire session and masquarade as a client from the initiation of the sequence.

Just debating to get better understanding.

Regards
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 18612997
I understand, but it is safer to proceed under the premonition that nothing is hack-proof.

You are asking for a definitive answer to a question that does not have one.  The US govt. has stuff that can peek right inside of a VPN and anything using TLS.  I think the author is safe from 99% of the hacks out there with this solution.  More than likely any attack would have to come from inside the network...

/F
0
 
LVL 1

Expert Comment

by:Computer101
ID: 21101083
Forced accept.

Computer101
EE Admin
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question