Re: Default Security for LDAP
- From: "Anthony" <anthony.spam@xxxxxxxxxxxxxx>
- Date: Tue, 28 Aug 2007 11:57:16 +0100
You are right of course, it depends on the code. I thought he meant the
application was doing a simple LDAP lookup, but thinking about it if its on
IIS and the users are in AD I don't know why they would need to do that.
Anthony,
http://www.airdesk.co.uk
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23rjPPEM6HHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
That is actually not totally true. It depends on how the client (the IIS
machine in this case) performs the LDAP operation. AD supports LDAP bind
with both plaintext credentials (LDAP simple bind as per LDAP v3 spec) and
using Windows Negotiate authentication which uses Kerberos or NTLM and is
secure by default in that plaintext credentials are not sent on the wire.
Given that they are using IIS, they could be using one of Microsoft's LDAP
API stacks (wldap32, ADSI, .NET, etc.) and thus could have access to
secure authentication via LDAP. However, this is not guaranteed.
As such, whether or not you really need SSL or some other transport layer
security option between the web server and AD depends on the code that
they are executing.
For safety, you might consider implementing SSL on your DCs and asking
these clients to use it, but this is not absolutely required. If you want
more details, please provide more info on the actual code implementation.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Anthony" <anthony.spam@xxxxxxxxxxxxxx> wrote in message
news:ewp829L6HHA.3716@xxxxxxxxxxxxxxxxxxxxxxx
Charles,
Yes, the LDAP request containing the credentials is not encrypted. You
should use LDAPS if you want to encrypt it. You need a certificate on the
DC to do that.
The username and password will also be passed from the browser to the web
server in clear text unless you use SSL. For that, you need a certificate
on the web server. If you use Basic authentication, every request
contains the credentials so you need to SSL everything that requires
authentication. If you use a custom authentication you may be able to SSL
just the authentication exchange, which will reduce your overheads.
Hope that helps,
Anthony,
http://www.airdesk.co.uk
"Charles" <Charles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:89AE8EA8-F73E-4EDE-AC2C-2A549DBFCAEE@xxxxxxxxxxxxxxxx
Hi:
I have a group in my org that is using a web application that uses IIS.
Users in the domain will be accessing this site and access will be
granted
depending on if they are able to enter credentials successfully (AD
credentials). Under the covers ldap will be used to contact AD to
validate
the credentials of the users.
My question is by default, are the credentials passed as clear text?
Interested in protecting the user's password when it gets entered by the
user
and it gets transmitted to the Web site. And interested in this user's
password when it gets sent from the website to AD via ldap to verify the
credentials.
Will ldap pass the password as clear text? And will the interactions
between the user and the website as far as the password be protected as
well.
Enabling SSL does this just encrypt the password traveling between the
users
workstation and the website and as it travels between the website and
AD?
Thanks,
Charles
.
- References:
- Re: Default Security for LDAP
- From: Anthony
- Re: Default Security for LDAP
- From: Joe Kaplan
- Re: Default Security for LDAP
- Prev by Date: Re: Kerberos Constraint Delagation Issues with NLB
- Next by Date: Re: Question about GPO for using only one NIC
- Previous by thread: Re: Default Security for LDAP
- Next by thread: Re: Add a 64 bit R2 Domain Controller
- Index(es):
Relevant Pages
|
