|
microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late!
|
|
|
|
|
Posted by Tom Reis on May 20, 2008, 11:23 am
Please log in for more thread options
We are using Windows Server 2003 and Active Directory. We have a application
that needs to authenticate to LDAP using SSL because of the ability to
change passwords. I plan on using a self-signed certificate. My question is
that, once you have installed the SSL certificate do use always need to
authenticate to SSL LDAP or is it just for applications that need it?
|
|
Posted by Joe Kaplan on May 20, 2008, 10:31 pm
Please log in for more thread options
It is just for applications that attempt to connect on the SSL port.
Nothing in the normal Windows platform uses SSL LDAP (since it isn't even
enabled by default) for anything, so only applications that opt in to use it
will be affected.
Note that a self signed cert is probably a very poor choice as nothing will
trust the cert by default and connections will fail by default because of
this. Self signed certs are generally speaking only suitable for test lab
usage and don't really have a place in production environments. You'd be
better off buying a cheap SSL cert from GoDaddy or something if you don't
want to set up a CA.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net --
show/hide quoted text
> We are using Windows Server 2003 and Active Directory. We have a
> application that needs to authenticate to LDAP using SSL because of the
> ability to change passwords. I plan on using a self-signed certificate. My
> question is that, once you have installed the SSL certificate do use
> always need to authenticate to SSL LDAP or is it just for applications
> that need it?
>
|
|
Posted by S. Pidgorny on May 23, 2008, 6:32 am
Please log in for more thread options Note for the OP: http://support.microsoft.com/kb/321051 - How to enable
LDAP over SSL with a third-party certification authority. That applies to
self-signed certs as well. As an alternative to cheap commercial
certificates and self-signed I'd consider free online CA (ie
http://www.cacert.org), that's also ideal for testing.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
show/hide quoted text
> It is just for applications that attempt to connect on the SSL port.
> Nothing in the normal Windows platform uses SSL LDAP (since it isn't even
> enabled by default) for anything, so only applications that opt in to use
> it will be affected.
> Note that a self signed cert is probably a very poor choice as nothing
> will trust the cert by default and connections will fail by default
> because of this. Self signed certs are generally speaking only suitable
> for test lab usage and don't really have a place in production
> environments. You'd be better off buying a cheap SSL cert from GoDaddy or
> something if you don't want to set up a CA.
> Joe K.
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
>> We are using Windows Server 2003 and Active Directory. We have a
>> application that needs to authenticate to LDAP using SSL because of the
>> ability to change passwords. I plan on using a self-signed certificate.
>> My question is that, once you have installed the SSL certificate do use
>> always need to authenticate to SSL LDAP or is it just for applications
>> that need it?
>
|
|
Posted by Joe Kaplan on May 23, 2008, 9:50 am
Please log in for more thread options Thanks for the reference to that resource. I was unaware that such a thing
existed.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net --
show/hide quoted text
|
| Similar Threads | Posted | | Setting up Secure LDAP (LDAPS) on Windows Server 2008 | March 8, 2009, 12:37 pm |
| Re: Setting up Secure LDAP (LDAPS) on Windows Server 2008 | April 17, 2009, 3:57 am |
| Configuring SSL for LDAP | October 23, 2007, 10:01 am |
| no server credential/no LDAP over SSL | June 17, 2005, 3:24 pm |
| LDAP allows anonymous binds | September 8, 2005, 9:01 am |
| Access Control to LDAP on AD? | October 14, 2005, 9:20 pm |
| LDAP authentication security ? | December 3, 2007, 11:25 am |
| Re-Configuring LDAP CDP on Enterprise Root CA | February 17, 2007, 1:31 am |
| LDAP authentication with Internet Explorer | October 6, 2008, 12:31 pm |
| Restricting LDAP search for a normal AD account | January 12, 2006, 12:01 am |
|
|
> application that needs to authenticate to LDAP using SSL because of the
> ability to change passwords. I plan on using a self-signed certificate. My
> question is that, once you have installed the SSL certificate do use
> always need to authenticate to SSL LDAP or is it just for applications
> that need it?
>