Click here to get back home

Secure SSL with LDAP and AD

 HomeNewsGroups | Search | About
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Secure SSL with LDAP and AD Tom Reis 05-20-2008
Get Chitika Premium
Posted by Tom Reis on May 20, 2008, 11:23 am
Please log in for more thread options
We are using Windows Server 2003 and Active Directory. We have a application
that needs to authenticate to LDAP using SSL because of the ability to
change passwords. I plan on using a self-signed certificate. My question is
that, once you have installed the SSL certificate do use always need to
authenticate to SSL LDAP or is it just for applications that need it?



Posted by Joe Kaplan on May 20, 2008, 10:31 pm
Please log in for more thread options
It is just for applications that attempt to connect on the SSL port.
Nothing in the normal Windows platform uses SSL LDAP (since it isn't even
enabled by default) for anything, so only applications that opt in to use it
will be affected.

Note that a self signed cert is probably a very poor choice as nothing will
trust the cert by default and connections will fail by default because of
this. Self signed certs are generally speaking only suitable for test lab
usage and don't really have a place in production environments. You'd be
better off buying a cheap SSL cert from GoDaddy or something if you don't
want to set up a CA.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
> We are using Windows Server 2003 and Active Directory. We have a
> application that needs to authenticate to LDAP using SSL because of the
> ability to change passwords. I plan on using a self-signed certificate. My
> question is that, once you have installed the SSL certificate do use
> always need to authenticate to SSL LDAP or is it just for applications
> that need it?
>



Posted by S. Pidgorny on May 23, 2008, 6:32 am
Please log in for more thread options
Note for the OP: http://support.microsoft.com/kb/321051 - How to enable
LDAP over SSL with a third-party certification authority. That applies to
self-signed certs as well. As an alternative to cheap commercial
certificates and self-signed I'd consider free online CA (ie
http://www.cacert.org), that's also ideal for testing.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


> It is just for applications that attempt to connect on the SSL port.
> Nothing in the normal Windows platform uses SSL LDAP (since it isn't even
> enabled by default) for anything, so only applications that opt in to use
> it will be affected.
>
> Note that a self signed cert is probably a very poor choice as nothing
> will trust the cert by default and connections will fail by default
> because of this. Self signed certs are generally speaking only suitable
> for test lab usage and don't really have a place in production
> environments. You'd be better off buying a cheap SSL cert from GoDaddy or
> something if you don't want to set up a CA.
>
> Joe K.
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
>> We are using Windows Server 2003 and Active Directory. We have a
>> application that needs to authenticate to LDAP using SSL because of the
>> ability to change passwords. I plan on using a self-signed certificate.
>> My question is that, once you have installed the SSL certificate do use
>> always need to authenticate to SSL LDAP or is it just for applications
>> that need it?
>>
>
>



Posted by Joe Kaplan on May 23, 2008, 9:50 am
Please log in for more thread options
Thanks for the reference to that resource. I was unaware that such a thing
existed.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
> Note for the OP: http://support.microsoft.com/kb/321051 - How to enable
> LDAP over SSL with a third-party certification authority. That applies to
> self-signed certs as well. As an alternative to cheap commercial
> certificates and self-signed I'd consider free online CA (ie
> http://www.cacert.org), that's also ideal for testing.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>
>> It is just for applications that attempt to connect on the SSL port.
>> Nothing in the normal Windows platform uses SSL LDAP (since it isn't even
>> enabled by default) for anything, so only applications that opt in to use
>> it will be affected.
>>
>> Note that a self signed cert is probably a very poor choice as nothing
>> will trust the cert by default and connections will fail by default
>> because of this. Self signed certs are generally speaking only suitable
>> for test lab usage and don't really have a place in production
>> environments. You'd be better off buying a cheap SSL cert from GoDaddy
>> or something if you don't want to set up a CA.
>>
>> Joe K.
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>>> We are using Windows Server 2003 and Active Directory. We have a
>>> application that needs to authenticate to LDAP using SSL because of the
>>> ability to change passwords. I plan on using a self-signed certificate.
>>> My question is that, once you have installed the SSL certificate do use
>>> always need to authenticate to SSL LDAP or is it just for applications
>>> that need it?
>>>
>>
>>
>
>



Similar ThreadsPosted
Configuring SSL for LDAP October 23, 2007, 10:01 am
no server credential/no LDAP over SSL June 17, 2005, 3:24 pm
LDAP allows anonymous binds September 8, 2005, 9:01 am
Access Control to LDAP on AD? October 14, 2005, 9:20 pm
LDAP authentication security ? December 3, 2007, 11:25 am
Re-Configuring LDAP CDP on Enterprise Root CA February 17, 2007, 1:31 am
LDAP authentication with Internet Explorer October 6, 2008, 12:31 pm
Restricting LDAP search for a normal AD account January 12, 2006, 12:01 am
enabling LDAP over SSL: Enterprise CA in separate AD tree August 17, 2006, 6:31 pm
LDAP lookup based on a Security group? May 23, 2008, 10:42 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap