Signing LDAP Without Certificate Services

Discussion in 'Active Directory' started by Irwin Fletcher, May 22, 2007.

  1. Is there any way to require that all LDAP traffic on a Server 2003
    domain controller is signed without having certificate services
    installed anywhere in the AD? I have several external apps that
    authenticate against my AD using LDAP. All of them have the ability to
    to startTLS/ssl but it appears that this won't work unless I have a
    certificate (from cert services?) installed. I was thinking it might be
    possible to use a self generated cert?
    Irwin Fletcher, May 22, 2007
    1. Advertisements

  2. Irwin Fletcher

    Joe Kaplan Guest

    Using self-signed certificates is generally always a bad idea since nothing
    will trust them by default. You don't need to install your own CA though.
    You can just buy SSL certificates from a commercial instead.

    You cannot force all LDAP clients to use SSL. In fact, most of the built-in
    components of Windows that use LDAP will not use SSL because it is not
    available by default. However, if you make SSL available, you can ask your
    external apps to use it.

    Note also that Windows clients have the ability to sign and encrypt LDAP
    traffic without SSL, as that is a feature that is built into Windows
    authentication and can be enabled. Some of the tools do this automatically,
    but not all.

    Joe K.
    Joe Kaplan, May 22, 2007
    1. Advertisements

  3. I'm curious. Is this implemented as an LDAP extension? Or are you
    talking about LDAP SASL bind? Or completely kerberized LDAP traffic?

    Ciao, Michael.
    Michael Ströder, May 23, 2007
  4. Irwin Fletcher

    Joe Kaplan Guest

    This is using the feature of Windows SSPI authentication to sign and encrypt
    the channel. Depending on the OS version, different authentication
    protocols will support signing and encryption at different strengths. As of
    XP and higher, Kerb, NTLM and Digest all support this with 128 bit cipher
    strength. Win2K had varying levels of support depending on the protocol
    used for the auth and the service pack level.

    Thus, if you use SASL auth with either GSS-SPNEGO or WDIGEST, you can use
    this feature over port 389 (or GC 3268 if desired). It also works with
    ADAM. To enable it, at the LDAP API level you set the appropriate object
    via ldap_set_option (LDAP_OPT_ENCRYPT, etc.). ADSI has matching flags in
    the auth enum (SIGNING, SEALING).

    Note that the traffic is not encrypted until after the bind, as the ability
    to establish the encryption/signing is implemented in the auth itself.

    It is pretty easy to play with this if you are curious. Ldp.exe makes it
    easy to see these behaviors.

    Obviously, if you use simple bind, you still need regular SSL or IPSEC.
    Also, you can't use SSL LDAP connection in conjunction with the SSPI
    encryption/signing. It won't let you do that.

    Joe K.
    Joe Kaplan, May 24, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.