Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Require Certificate so LDAP is not sending in clear text

Posted on 2011-04-28
Medium Priority
Last Modified: 2012-06-27
I am trying to develop the best solution. To the best of my understanding AD ldap sends passwords in clear text. We have a unix based app that uses LDAP to talk to AD. I was told to correct this a certificate needs to be configured for this to work. Does anyone have any instructions for using a self signed certificate to facilitate this?
Question by:ullmanneric
LVL 12

Accepted Solution

upanwar earned 2000 total points
ID: 35488606
AD itself have encrypted password and do not send it in clear text, for the testing you can use wireshark or cain to check whether you can check whether the password is in clear text mode or they are encrypted.

Open LDAP or Directory Server in Linux require certificate for encryption, I have used that but I have never used certificate in Windows AD when I have configured authentication against Active Directory.

A windows guys will suggest you the steps for certificate creation and installation and He will also correct my statement regarding AD if I am wrong.
LVL 81

Expert Comment

ID: 35488733
Must it be LDAP, or can the unix/linux system be integrated into AD using winbindd?

As far as certificates, you can install the windows CA and configure it as either the enterprise CA or a standalone CA. And use it to issue/sign certificates for internal use.


Author Comment

ID: 35488779
Yes it has to be ldap due to the version of software we are using
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 81

Expert Comment

ID: 35490163
Do you have CA installed on your AD?

You can also use openssl on the unix/linux site to generate a selfsigned certificate for use by the application/ldap.conf and configure within the AD as trusted CA.
LVL 16

Expert Comment

ID: 35491439
Here is a short walk-through on Windows 2003 to create a self-signed certificate for LDAP communications:

Enable LDAP SSL with Active Directory in Windows 2003

Then instead of talking to AD using port 389, use port 636.

Expert Comment

ID: 35493020
In windows 2008, plain LDAP is disabled by default, and is the current standard on most enterprises.

Author Comment

ID: 35498409
So In 2008 what is the standard vs the standard on 2003. Are just the username sent in cleartxt?

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question