Solved

Secure LDAP

Posted on 2016-08-22
8
43 Views
Last Modified: 2016-09-11
we have our Active Directory installed on windows 2012 r2 domain controllers. we have a vendor visiting us to install his product and has given us a list of prerequisite that should be ready before he starts the deployment. one of the requirements is

* AD configured to use LDAPs

do I need to do any changes in my active directory to support secure LDAP

or by default it supports this
0
Comment
Question by:Aamer-
  • 4
  • 3
8 Comments
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 100 total points (awarded by participants)
ID: 41765255
0
 
LVL 62

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41765445
Vendor should be referring to LDAP over SSL (LDAPS) - which is to make LDAP traffic secure. I believe they will want to make sure the SSL certificate is setuo and during their administration access making LDAPS call and checks, it will be secured as a baseline hardening - no plaintext during the transaction. AD already supports LDAPS, you just need to get the SSL ready and provisioned - for info if you are using a 3rd party issued SSL cert @ http://windowsitpro.com/active-directory/how-use-ldap-over-ssl-lock-down-ad-traffic
0
 

Author Comment

by:Aamer-
ID: 41765674
we are using a private PKI. is there any configuration I need to do on my domain controllers to support LDAPs
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Aamer-
ID: 41765689
my AD is being used by many services. and there is only one application that requires LDAPs. if I configure my domain controllers for LDAPs will it not effect all the other services and clients.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41766158
Yes it will be to all service doing LDAPS. For e.g. LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.
0
 

Author Comment

by:Aamer-
ID: 41767346
To configure LDAPS, I think all I need to do in install certificates on all the domain controllers. my only question is once I configure LDAPs will clients and services that still use LDAP work as before or it is like a complete switch from ldap to ldaps. I have a subordinate enterprise CA in the domain and i can issue certificates to the domain controllers. will it effect services that are using LDAP. will it affect windows clients, exchange servers etc ect.
0
 
LVL 62

Accepted Solution

by:
btan earned 400 total points (awarded by participants)
ID: 41767982
Really depends on your client machine and applications as they can still do LDAP sonce DC does not enforce it unless you have firewall blocking 636.
But do note if the DC enable only LDAP signing then client machine do not use LDAPS or signing will fail to connect


If you configure this policy as None, the server will not require data signatures but will provide them if requested by the client. “Require signature” means the domain controller will only bind with clients that negotiate LDAP data-signing OR are using TLS/SSL
https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Domain-Controller-LDAP-server-signing-requirements
0
 
LVL 62

Expert Comment

by:btan
ID: 41793210
As guided and advised in the scope and things to watch out for in setup.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question