Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 553
  • Last Modified:

SSL/TSL Configuration to encrypt LDAP queries from *nix.

Hello,

I have a FreeBSD server with OpenLDAP and SASL installed and wanted to encrypt LDAP queries from FreeBSD to my Windows 2K3 domain controller.  Has anyone configured their DC with SSL/TSL to perform this task, and if so, could you provide a How To?

Your help is greatly appreciated.

Regards,

Dave
0
uxphreak
Asked:
uxphreak
  • 5
  • 3
  • 2
  • +1
2 Solutions
 
Jason WatkinsIT Project LeaderCommented:
I think your life would be much easier if you tried to submit the queries over kerberos rather than SSL/TLS.  Active Directory DCs use kerberos to submit and answer queries.

/F
0
 
uxphreakAuthor Commented:
F,

What would I need to do to utilize Kerberos?  Will Kerberos alone keep my LDAP queries secure?

Thanks,

Dave
0
 
Jason WatkinsIT Project LeaderCommented:
I am not that sure with FreeBSD, but in Linux the kerberos components are usually installed.  The tricky part is the difference in the LDAP providers.  Microsoft's LDAP, and OpenLDAP are different in their implementations.

/F
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
uxphreakAuthor Commented:
F,

I am able to perform a query from FreeBSD to AD using the following:

ldapsearch -LLL -b "<DN>" -Z -D "<BindDN>" -w "<BindDNPassword>"

-Z makes ldapsearch ecrypt the query with TLS.  To test this I removed the cert entry in ldap.conf of OpenLDAP and ran the above command and it would not bind because the cert was not referenced in OpenLDAP.  Once I re-added the cert entry in ldap.conf the command worked fine.

My next question is, now that my query is encrypted with TLS between FreeBSD and AD, should I be concerned with anyone "evesdroping" on the query?  Is TLS all I need to secure the query between FreeBSD and AD?

Thanks,

Dave
0
 
Manish NaikCommented:
Hi,

I guess the best you can have is 128 Bit.  Once specified minssf=128, all queries will work with the best. I guess nobody can evasdrop on the query as even today many of the ecommerce and payment enabled sites are still on 128 Bit without any probles of Man in the Middle or evasdropping as you say.

The question if TLS is all that you need to secure the query is answered above.  Once the query travels, encrypted on the wire, even if somebody evasdrops, its as good as getting junk.

Hope you have set all queries to 128 Bit in your ldap.conf.

Regards
0
 
Jason WatkinsIT Project LeaderCommented:
Yes, I would assume that you are find as long as you understand the actual traffic is not encrypted, just the end-points.

/F
0
 
Manish NaikCommented:
Hi,
Yep, but even then the content is safe within the traffic, right ?  TLS does protect against man-in-the-middle which is what uxphreak is afraid of I suppose.
Regards
0
 
Jason WatkinsIT Project LeaderCommented:
Technically no, if someone were to catch and hack the authentication sequence, a MitM attack could happen.  The chances of that occurring are so remote, I have trouble writing it...

/F
0
 
Manish NaikCommented:
Hi,

http://en.wikipedia.org/wiki/Transport_Layer_Security

As I understand even the "Master Secret" is encrypted using the public key when it travels the network which makes it a little infeasible to attack.  

The only possible way to is to hijack the entire session and masquarade as a client from the initiation of the sequence.

Just debating to get better understanding.

Regards
0
 
Jason WatkinsIT Project LeaderCommented:
I understand, but it is safer to proceed under the premonition that nothing is hack-proof.

You are asking for a definitive answer to a question that does not have one.  The US govt. has stuff that can peek right inside of a VPN and anything using TLS.  I think the author is safe from 99% of the hacks out there with this solution.  More than likely any attack would have to come from inside the network...

/F
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now