Solved

Secure LDAP

Posted on 2016-08-22
8
36 Views
Last Modified: 2016-09-11
we have our Active Directory installed on windows 2012 r2 domain controllers. we have a vendor visiting us to install his product and has given us a list of prerequisite that should be ready before he starts the deployment. one of the requirements is

* AD configured to use LDAPs

do I need to do any changes in my active directory to support secure LDAP

or by default it supports this
0
Comment
Question by:Aamer-
  • 4
  • 3
8 Comments
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 100 total points (awarded by participants)
ID: 41765255
0
 
LVL 62

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41765445
Vendor should be referring to LDAP over SSL (LDAPS) - which is to make LDAP traffic secure. I believe they will want to make sure the SSL certificate is setuo and during their administration access making LDAPS call and checks, it will be secured as a baseline hardening - no plaintext during the transaction. AD already supports LDAPS, you just need to get the SSL ready and provisioned - for info if you are using a 3rd party issued SSL cert @ http://windowsitpro.com/active-directory/how-use-ldap-over-ssl-lock-down-ad-traffic
0
 

Author Comment

by:Aamer-
ID: 41765674
we are using a private PKI. is there any configuration I need to do on my domain controllers to support LDAPs
0
 

Author Comment

by:Aamer-
ID: 41765689
my AD is being used by many services. and there is only one application that requires LDAPs. if I configure my domain controllers for LDAPs will it not effect all the other services and clients.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 62

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41766158
Yes it will be to all service doing LDAPS. For e.g. LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.
0
 

Author Comment

by:Aamer-
ID: 41767346
To configure LDAPS, I think all I need to do in install certificates on all the domain controllers. my only question is once I configure LDAPs will clients and services that still use LDAP work as before or it is like a complete switch from ldap to ldaps. I have a subordinate enterprise CA in the domain and i can issue certificates to the domain controllers. will it effect services that are using LDAP. will it affect windows clients, exchange servers etc ect.
0
 
LVL 62

Accepted Solution

by:
btan earned 400 total points (awarded by participants)
ID: 41767982
Really depends on your client machine and applications as they can still do LDAP sonce DC does not enforce it unless you have firewall blocking 636.
But do note if the DC enable only LDAP signing then client machine do not use LDAPS or signing will fail to connect


If you configure this policy as None, the server will not require data signatures but will provide them if requested by the client. “Require signature” means the domain controller will only bind with clients that negotiate LDAP data-signing OR are using TLS/SSL
https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Domain-Controller-LDAP-server-signing-requirements
0
 
LVL 62

Expert Comment

by:btan
ID: 41793210
As guided and advised in the scope and things to watch out for in setup.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now