Link to home
Create AccountLog in
Avatar of NYGiantsFan
NYGiantsFanFlag for United States of America

asked on

LDAP Security Concerns

I have a few questions about the LDAP protocol:

1.  Is the authentication login encrypted ?
2.  What type of security concerns should I be aware of regarding LDAP?

Thanks.
ASKER CERTIFIED SOLUTION
Avatar of dr_linux
dr_linux
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Tony, Self-signed certificates are just as good as certificates generated through a Root CA. They still allow for SSL encryption and they still allow for server authentication. The difference is in cost and the fact that the certificate has to be deployed to clients and servers either manually or through a GPO.

Second, never said NTLM and Kerberos are Encryption protocols. They encrypt traffic by default.

Also, the AD tools in Windows do not *use* LDAP Simple bind after Windows 2000 SP3. If they have a third party tool that does so, then yes, it would be advantageous to use Secure LDAP. But all of the tools that come with Windows now utilize encryption by default.
Avatar of NYGiantsFan

ASKER

Very good posting.  Thanks all.

One quick questions, regarding ACBrowns post:

You mentioned FIPS.  Are you taking about US federal standards?
Yes. FIPS is the Federal Information Processing Standard. Generally, SSL is no longer considered FIPS compliant because of the vulnerabilities found in the MD5 hashing process, which is used for SSL key exchanges. If you require FIPS compliance you're supposed to use TLS instead of SSL. Usually only Federally owned networks and very high security private industries, like banking, require FIPS compliance.
Do you know the FIPS document or requirement that requires LDAP TLS standards?  I looked for it, without success.
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

That's the document that goes over the requirements for encryption standards. I can't remember the exact passage and the whole thing read *exactly* like a government document, so drink lots of coffee. If you have the security requirement to be FIPS compliant, then self-signed certs will take more work but they are cheaper. Only Windows 2003/2008 Enterprise version will allow you to build an Enterprise Root CA that can build and deploy SSL/TLS certificates automatically, and you'll want to have a Subordinate CA for security (Best practice is to create the root CA, create a Subordinate CA, and turn the Root CA off) However, if you're going to go that route, you may as well go all the way and implement IPSec, which is a huge subject in itself. http://technet.microsoft.com/en-us/network/bb531150 can get you some information on implementing that.