Re: Signing LDAP Without Certificate Services

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 22 May 2007 11:59:16 -0500

Using self-signed certificates is generally always a bad idea since nothing
will trust them by default. You don't need to install your own CA though.
You can just buy SSL certificates from a commercial instead.

You cannot force all LDAP clients to use SSL. In fact, most of the built-in
components of Windows that use LDAP will not use SSL because it is not
available by default. However, if you make SSL available, you can ask your
external apps to use it.

Note also that Windows clients have the ability to sign and encrypt LDAP
traffic without SSL, as that is a feature that is built into Windows
authentication and can be enabled. Some of the tools do this automatically,
but not all.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Irwin Fletcher" <ffletch@xxxxxxxxxxxxx> wrote in message
news:%23BCIkfInHHA.4424@xxxxxxxxxxxxxxxxxxxxxxx

Is there any way to require that all LDAP traffic on a Server 2003 domain
controller is signed without having certificate services installed
anywhere in the AD? I have several external apps that authenticate
against my AD using LDAP. All of them have the ability to to startTLS/ssl
but it appears that this won't work unless I have a certificate (from cert
services?) installed. I was thinking it might be possible to use a self
generated cert?

Follow-Ups:
- Re: Signing LDAP Without Certificate Services
  - From: Michael Ströder

References:
- Signing LDAP Without Certificate Services
  - From: Irwin Fletcher

Prev by Date: Re: AD and GP - Basic Questions
Next by Date: Re: After changing User rights assignment, users can not logon to
Previous by thread: Signing LDAP Without Certificate Services
Next by thread: Re: Signing LDAP Without Certificate Services
Index(es):
- Date
- Thread

Relevant Pages

Re: [Lit.] Buffer overruns
... http://www.garlic.com/~lynn/2001e.html#39 Can I create my own SSL key? ... http://www.garlic.com/~lynn/2001g.html#19 Root certificates ...
(sci.crypt)
Re: SSL certificate modification
... > That's only one reason for the existance of SSL server ... > that certificates contains certified public keys which are used during ... implication then the domain name infrastructure is a trusted server ...
(comp.security.misc)
Re: Sending signed and encrypted email.
... The user may have 1 or more certificates, ... via an AD lookup, you would want their encryption certificate, not their ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... I am new to framework 2.0 so unsure about the capabilities of the ...
(microsoft.public.dotnet.security)
Re: RECOVERING MY ENCRYPTED HD FROM DEAD WINDOWS 2000
... certificates were probably only stored on the reinstalled ... file encryption key - different for each file, ... document formats have some standard bytes in - once matched ... The install wouldn't ...
(microsoft.public.windowsxp.security_admin)
Re: Run Fax Service under a different User Account gives "Win32 Error Code: 1307" error
... I've been trying to do that, but I can't seem to get the certificates to ... I wouldn't want to give the "Network Service" account access to the ... encrypted files because then any service running under the Network Service ... know of any way to install the certificate for the Network Service user. ...
(microsoft.public.win2000.fax)