Secure LDAP

we have our Active Directory installed on windows 2012 r2 domain controllers. we have a vendor visiting us to install his product and has given us a list of prerequisite that should be ready before he starts the deployment. one of the requirements is

* AD configured to use LDAPs

do I need to do any changes in my active directory to support secure LDAP

or by default it supports this
Aamer-Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Vendor should be referring to LDAP over SSL (LDAPS) - which is to make LDAP traffic secure. I believe they will want to make sure the SSL certificate is setuo and during their administration access making LDAPS call and checks, it will be secured as a baseline hardening - no plaintext during the transaction. AD already supports LDAPS, you just need to get the SSL ready and provisioned - for info if you are using a 3rd party issued SSL cert @ http://windowsitpro.com/active-directory/how-use-ldap-over-ssl-lock-down-ad-traffic
0
Aamer-Author Commented:
we are using a private PKI. is there any configuration I need to do on my domain controllers to support LDAPs
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Aamer-Author Commented:
my AD is being used by many services. and there is only one application that requires LDAPs. if I configure my domain controllers for LDAPs will it not effect all the other services and clients.
0
btanExec ConsultantCommented:
Yes it will be to all service doing LDAPS. For e.g. LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.
0
Aamer-Author Commented:
To configure LDAPS, I think all I need to do in install certificates on all the domain controllers. my only question is once I configure LDAPs will clients and services that still use LDAP work as before or it is like a complete switch from ldap to ldaps. I have a subordinate enterprise CA in the domain and i can issue certificates to the domain controllers. will it effect services that are using LDAP. will it affect windows clients, exchange servers etc ect.
0
btanExec ConsultantCommented:
Really depends on your client machine and applications as they can still do LDAP sonce DC does not enforce it unless you have firewall blocking 636.
But do note if the DC enable only LDAP signing then client machine do not use LDAPS or signing will fail to connect


If you configure this policy as None, the server will not require data signatures but will provide them if requested by the client. “Require signature” means the domain controller will only bind with clients that negotiate LDAP data-signing OR are using TLS/SSL
https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Domain-Controller-LDAP-server-signing-requirements
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
As guided and advised in the scope and things to watch out for in setup.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.