Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 87
  • Last Modified:

Secure LDAP

we have our Active Directory installed on windows 2012 r2 domain controllers. we have a vendor visiting us to install his product and has given us a list of prerequisite that should be ready before he starts the deployment. one of the requirements is

* AD configured to use LDAPs

do I need to do any changes in my active directory to support secure LDAP

or by default it supports this
0
Aamer-
Asked:
Aamer-
  • 4
  • 3
4 Solutions
 
btanExec ConsultantCommented:
Vendor should be referring to LDAP over SSL (LDAPS) - which is to make LDAP traffic secure. I believe they will want to make sure the SSL certificate is setuo and during their administration access making LDAPS call and checks, it will be secured as a baseline hardening - no plaintext during the transaction. AD already supports LDAPS, you just need to get the SSL ready and provisioned - for info if you are using a 3rd party issued SSL cert @ http://windowsitpro.com/active-directory/how-use-ldap-over-ssl-lock-down-ad-traffic
0
 
Aamer-Author Commented:
we are using a private PKI. is there any configuration I need to do on my domain controllers to support LDAPs
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
Aamer-Author Commented:
my AD is being used by many services. and there is only one application that requires LDAPs. if I configure my domain controllers for LDAPs will it not effect all the other services and clients.
0
 
btanExec ConsultantCommented:
Yes it will be to all service doing LDAPS. For e.g. LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.
0
 
Aamer-Author Commented:
To configure LDAPS, I think all I need to do in install certificates on all the domain controllers. my only question is once I configure LDAPs will clients and services that still use LDAP work as before or it is like a complete switch from ldap to ldaps. I have a subordinate enterprise CA in the domain and i can issue certificates to the domain controllers. will it effect services that are using LDAP. will it affect windows clients, exchange servers etc ect.
0
 
btanExec ConsultantCommented:
Really depends on your client machine and applications as they can still do LDAP sonce DC does not enforce it unless you have firewall blocking 636.
But do note if the DC enable only LDAP signing then client machine do not use LDAPS or signing will fail to connect


If you configure this policy as None, the server will not require data signatures but will provide them if requested by the client. “Require signature” means the domain controller will only bind with clients that negotiate LDAP data-signing OR are using TLS/SSL
https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Domain-Controller-LDAP-server-signing-requirements
0
 
btanExec ConsultantCommented:
As guided and advised in the scope and things to watch out for in setup.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now