Require Certificate so LDAP is not sending in clear text

Posted on 2011-04-28
Last Modified: 2012-06-27
I am trying to develop the best solution. To the best of my understanding AD ldap sends passwords in clear text. We have a unix based app that uses LDAP to talk to AD. I was told to correct this a certificate needs to be configured for this to work. Does anyone have any instructions for using a self signed certificate to facilitate this?
Question by:ullmanneric
    LVL 12

    Accepted Solution

    AD itself have encrypted password and do not send it in clear text, for the testing you can use wireshark or cain to check whether you can check whether the password is in clear text mode or they are encrypted.

    Open LDAP or Directory Server in Linux require certificate for encryption, I have used that but I have never used certificate in Windows AD when I have configured authentication against Active Directory.

    A windows guys will suggest you the steps for certificate creation and installation and He will also correct my statement regarding AD if I am wrong.
    LVL 76

    Expert Comment

    Must it be LDAP, or can the unix/linux system be integrated into AD using winbindd?

    As far as certificates, you can install the windows CA and configure it as either the enterprise CA or a standalone CA. And use it to issue/sign certificates for internal use.


    Author Comment

    Yes it has to be ldap due to the version of software we are using
    LVL 76

    Expert Comment

    Do you have CA installed on your AD?

    You can also use openssl on the unix/linux site to generate a selfsigned certificate for use by the application/ldap.conf and configure within the AD as trusted CA.
    LVL 16

    Expert Comment

    Here is a short walk-through on Windows 2003 to create a self-signed certificate for LDAP communications:

    Enable LDAP SSL with Active Directory in Windows 2003

    Then instead of talking to AD using port 389, use port 636.
    LVL 5

    Expert Comment

    In windows 2008, plain LDAP is disabled by default, and is the current standard on most enterprises.

    Author Comment

    So In 2008 what is the standard vs the standard on 2003. Are just the username sent in cleartxt?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    About FreeBSD Jails In FreeBSD, jails are a way of doing operating system level virtualization.  The basis of FreeBSD jails is chroot (, which changes the root directory of processes.  As a…
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now