| Author | Messages | |
JefTek
Posts:48
 | | 02/14/2008 4:35 PM |
| I recently had a discussion on the security value of secure LDAP in a Switched Network environment, and I thought I would share my observations with this group.
You can view my post on LDAP over SSL/TLS: How secure is your Directory?
I was looking for some feedback on what I may have gotten wrong or missed in order to drive my point home on how simple binds should be secured through some form of TLS.
Thanks,
Jef Kazimer ------- http://www.jeftek.com
| | | |
| joe
Posts:84
| | 02/14/2008 9:02 PM |
| I posted a comment. 
I totally agree with your assessment and added a followup reference here:
http://www.joekaplan.net/ADAMCanBeForcedToOnlyAllowSimpleBindOnASecureChannel.aspx
Joe
----- Original Message -----
From: "Jef Kazimer" <jef@jeftek.com>
To: <activedir@mail.activedir.org>
Sent: Thursday, February 14, 2008 3:34 PM
Subject: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?
I recently had a discussion on the security value of secure LDAP in a
Switched Network environment, and I thought I would share my observations
with this group.
You can view my post on LDAP over SSL/TLS: How secure is your Directory?
I was looking for some feedback on what I may have gotten wrong or missed in
order to drive my point home on how simple binds should be secured through
some form of TLS.
Thanks,
Jef Kazimer ------- http://www.jeftek.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| JefTek
Posts:48
| | 02/14/2008 10:07 PM |
| Thanks Joe, I added both links to the post for future readers. It always astounds me how it's bad practice and policy that spoils the name of good technology. 
One thing I was recently working on, was trying to migrate applications from LDAP to LDAPS on an ADAM server. I was going to use a replica instance of the same partition, in hopes of setting the RequireSecureSimpleBinds flag, but unfortunately this is set in the configuration context which means it is replicated to each replica in the NC. Is there a per-server setting possible to require a similar function?
I suppose I could just firewall 389 on the box if I had too to keep apps from using it
I noticed the link I originally posted doesn't show up in plaintext email in your reply below, so I am reposting the URL.
http://www.jeftek.com/iam/activedirectory/ldap-over-ssl-tls-how-secure-is-your-directory/Jef Kazimer ------- http://www.jeftek.com
> From: joe@joekaplan.net> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?> Date: Thu, 14 Feb 2008 19:57:34 -0600> > I posted a comment. > > I totally agree with your assessment and added a followup reference here:> > http://www.joekaplan.net/ADAMCanBeForcedToOnlyAllowSimpleBindOnASecureChannel.aspx> > Joe> > ----- Original Message ----- > From: "Jef Kazimer" <jef@jeftek.com>> To: <activedir@mail.activedir.org>> Sent: Thursday, February 14, 2008 3:34 PM> Subject: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?> > > I recently had a discussion on the security value of secure LDAP in a > Switched Network environment, and I thought I would share my observations > with this group.> > You can view my post on LDAP over SSL/TLS: How secure is your Directory?> > I was looking for some feedback on what I may have gotten wrong or missed in > order to drive my point home on how simple binds should be secured through > some form of TLS.> > Thanks,> Jef Kazimer ------- http://www.jeftek.com > > List info : http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx
| | | |
| joe
Posts:84
| | 02/14/2008 11:18 PM |
| I have no idea if there is a way to do that setting per replica. I'm
guessing that someone like Dmitri or Eric would know better. I'm pretty
certain I learned about the feature from one of them in the first place.
Do you really have a use case where you need to allow unsecure simple binds
on some servers but not others?
Joe
----- Original Message -----
From: "Jef Kazimer" <jef@jeftek.com>
To: <activedir@mail.activedir.org>
Sent: Thursday, February 14, 2008 9:03 PM
Subject: RE: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?
Thanks Joe, I added both links to the post for future readers. It always
astounds me how it's bad practice and policy that spoils the name of good
technology.
One thing I was recently working on, was trying to migrate applications from
LDAP to LDAPS on an ADAM server. I was going to use a replica instance of
the same partition, in hopes of setting the RequireSecureSimpleBinds flag,
but unfortunately this is set in the configuration context which means it is
replicated to each replica in the NC. Is there a per-server setting
possible to require a similar function?
I suppose I could just firewall 389 on the box if I had too to keep apps
from using it
I noticed the link I originally posted doesn't show up in plaintext email in
your reply below, so I am reposting the URL.
http://www.jeftek.com/iam/activedirectory/ldap-over-ssl-tls-how-secure-is-your-directory/Jef
Kazimer ------- http://www.jeftek.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| JefTek
Posts:48
| | 02/14/2008 11:53 PM |
| Joe,
I'm still working out the feasibility of where I could use such a thing to corral some applications. There will be applications which cannot use LDAPS so we may have tighter controls around the server that accepts just LDAP (Well they all accept LDAPS). The idea was to set the other replicas to require secure LDAP for simple binds, and have another server where it is not required for those poorly written applications.
It sounds like the only way would be just governance like you had suggested by being able to track via some event, to catch the naughty apps.
Also I suppose since these directories are built from MIIS, it would be nothing to create another ADAM instance that requires secure bind, and just provision the same data into there. I guess I was just looking for a short cut to use the same replica sets.
Thanks!
Jef Kazimer ------- http://www.jeftek.com
> From: joe@joekaplan.net> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?> Date: Thu, 14 Feb 2008 22:14:23 -0600> > I have no idea if there is a way to do that setting per replica. I'm > guessing that someone like Dmitri or Eric would know better. I'm pretty > certain I learned about the feature from one of them in the first place.> > Do you really have a use case where you need to allow unsecure simple binds > on some servers but not others?> > Joe> > ----- Original Message ----- > From: "Jef Kazimer" <jef@jeftek.com>> To: <activedir@mail.activedir.org>> Sent: Thursday, February 14, 2008 9:03 PM> Subject: RE: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?> > > Thanks Joe, I added both links to the post for future readers. It always > astounds me how it's bad practice and policy that spoils the name of good > technology. > > One thing I was recently working on, was trying to migrate applications from > LDAP to LDAPS on an ADAM server. I was going to use a replica instance of > the same partition, in hopes of setting the RequireSecureSimpleBinds flag, > but unfortunately this is set in the configuration context which means it is > replicated to each replica in the NC. Is there a per-server setting > possible to require a similar function?> > I suppose I could just firewall 389 on the box if I had too to keep apps > from using it > > I noticed the link I originally posted doesn't show up in plaintext email in > your reply below, so I am reposting the URL.> > http://www.jeftek.com/iam/activedirectory/ldap-over-ssl-tls-how-secure-is-your-directory/Jef > Kazimer ------- http://www.jeftek.com> > > List info : http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx
| | | |
| joe
Posts:84
| | 02/15/2008 12:38 AM |
| This could definitely be something you just try to solve with the firewall.
It is a curious thing to consider what the incremental effort of having a
separate ADAM instance built from MIIS vs. an ADAM instance that is a
replica in a configuration set which is based on MIIS. I'm sure it is
probably a bit easier to create the replica, but I wonder if the ongoing ops
related tasks are much different.
A pox on badly written apps.
Joe
----- Original Message -----
From: "Jef Kazimer" <jef@jeftek.com>
To: <activedir@mail.activedir.org>
Sent: Thursday, February 14, 2008 10:53 PM
Subject: RE: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?
Joe,
I'm still working out the feasibility of where I could use such a thing to
corral some applications. There will be applications which cannot use LDAPS
so we may have tighter controls around the server that accepts just LDAP
(Well they all accept LDAPS). The idea was to set the other replicas to
require secure LDAP for simple binds, and have another server where it is
not required for those poorly written applications.
It sounds like the only way would be just governance like you had suggested
by being able to track via some event, to catch the naughty apps.
Also I suppose since these directories are built from MIIS, it would be
nothing to create another ADAM instance that requires secure bind, and just
provision the same data into there. I guess I was just looking for a short
cut to use the same replica sets.
Thanks!
Jef Kazimer ------- http://www.jeftek.com
> From: joe@joekaplan.net> To: ActiveDir@mail.activedir.org> Subject: Re:
> [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?> Date: Thu,
> 14 Feb 2008 22:14:23 -0600> > I have no idea if there is a way to do that
> setting per replica. I'm > guessing that someone like Dmitri or Eric would
> know better. I'm pretty > certain I learned about the feature from one of
> them in the first place.> > Do you really have a use case where you need
> to allow unsecure simple binds > on some servers but not others?> > Joe>
> > ----- Original Message ----- > From: "Jef Kazimer" <jef@jeftek.com>> To:
> <activedir@mail.activedir.org>> Sent: Thursday, February 14, 2008 9:03 PM>
> Subject: RE: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?>
> > > Thanks Joe, I added both links to the post for future readers. It
> always > astounds me how it's bad practice and policy that spoils the name
> of good > technology. > > One thing I was recently working on, was
> trying to migrate applications from > LDAP to LDAPS on an ADAM server. I
> was going to use a replica instance of > the same partition, in hopes of
> setting the RequireSecureSimpleBinds flag, > but unfortunately this is set
> in the configuration context which means it is > replicated to each
> replica in the NC. Is there a per-server setting > possible to require a
> similar function?> > I suppose I could just firewall 389 on the box if I
> had too to keep apps > from using it > > I noticed the link I originally
> posted doesn't show up in plaintext email in > your reply below, so I am
> reposting the URL.> >
> http://www.jeftek.com/iam/activedirectory/ldap-over-ssl-tls-how-secure-is-your-directory/Jef >
> Kazimer ------- http://www.jeftek.com> > > List info :
> http://www.activedir.org/List.aspx> List FAQ :
> http://www.activedir.org/ListFAQ.aspx> List archive:
> http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| lef
Posts:21
| | 02/15/2008 6:21 AM |
| On Thu, 14 Feb 2008, Jef Kazimer wrote:
> One thing I was recently working on, was trying to migrate applications
> from LDAP to LDAPS on an ADAM server. I was going to use a replica
> instance of the same partition, in hopes of setting the
> RequireSecureSimpleBinds flag, but unfortunately this is set in the
> configuration context which means it is replicated to each replica in
> the NC. Is there a per-server setting possible to require a similar function?
IIRC there is a per server override for secure proxy bind requirement but
not for the secure simple bind.
> I suppose I could just firewall 389 on the box if I had too to keep apps from using it
I think so.
Lee Flight
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| ioplex
Posts:0
| | 02/19/2008 2:00 AM |
| On 2/19/08, Dmitri Gavrilov <dmitrig@microsoft.com> wrote:
> FWIW, the registry setting for secure proxy binds was put in place so that a domain admin could enforce the setting for all ADAM instances running in his domain, through a registry GPO (after all, it's his domain user's passwords being sent around in clear text). I guess that means you could enforce it on per-server basis, but that was never meant as a "feature"
>
> I second Joe's concern -- why would you want to enforce this for some servers, but not others? Kinda beats the purpose, if you ask me.
Note that integrity and confidentiality on SASL buffers using the
Kerberos session key is just as effective as TLS at securing data (and
of course passwords are not passed around when using Kerberos). So I
hope that the various channel security settings are used such that
they do not over zealously exclude clients that use Kerberos rather
than TLS to secure the data. Our Plexcel product doesn't do TLS since
we can use the Kerberos session key for integrity and confidentiality
and I would rather not drag TLS code into our libraries if it's not
necessary.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| joe
Posts:84
| | 02/19/2008 2:46 AM |
| For ADAM bind proxy auth, the bind mechanism is always simple bind so SSPI
sign/seal doesn't apply. The only viable option for secure bind proxy auth
is SSL. So, the idea here is that you can force that to be used in this use
case.
It is surprising how few people know about SSPI sign/seal though. It is
a great feature.
Joe K.
----- Original Message -----
From: "Michael B Allen" <ioplex@gmail.com>
To: <ActiveDir@mail.activedir.org>
Sent: Monday, February 18, 2008 10:57 PM
Subject: Re: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?
> On 2/19/08, Dmitri Gavrilov <dmitrig@microsoft.com> wrote:
>> FWIW, the registry setting for secure proxy binds was put in place so
>> that a domain admin could enforce the setting for all ADAM instances
>> running in his domain, through a registry GPO (after all, it's his domain
>> user's passwords being sent around in clear text). I guess that means you
>> could enforce it on per-server basis, but that was never meant as a
>> "feature"
>>
>> I second Joe's concern -- why would you want to enforce this for some
>> servers, but not others? Kinda beats the purpose, if you ask me.
>
> Note that integrity and confidentiality on SASL buffers using the
> Kerberos session key is just as effective as TLS at securing data (and
> of course passwords are not passed around when using Kerberos). So I
> hope that the various channel security settings are used such that
> they do not over zealously exclude clients that use Kerberos rather
> than TLS to secure the data. Our Plexcel product doesn't do TLS since
> we can use the Kerberos session key for integrity and confidentiality
> and I would rather not drag TLS code into our libraries if it's not
> necessary.
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| dmitrig
Posts:59
| | 02/19/2008 12:05 PM |
| Strictly speaking, you can get sign/seal if you first do a secure bind using a windows cred, followed by a simple proxy bind. But that is too weird. SSL is the "normal" way to go.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
Sent: Tuesday, February 19, 2008 12:44 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?
For ADAM bind proxy auth, the bind mechanism is always simple bind so SSPI
sign/seal doesn't apply. The only viable option for secure bind proxy auth
is SSL. So, the idea here is that you can force that to be used in this use
case.
It is surprising how few people know about SSPI sign/seal though. It is
a great feature.
Joe K.
----- Original Message -----
From: "Michael B Allen" <ioplex@gmail.com>
To: <ActiveDir@mail.activedir.org>
Sent: Monday, February 18, 2008 10:57 PM
Subject: Re: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?
> On 2/19/08, Dmitri Gavrilov <dmitrig@microsoft.com> wrote:
>> FWIW, the registry setting for secure proxy binds was put in place so
>> that a domain admin could enforce the setting for all ADAM instances
>> running in his domain, through a registry GPO (after all, it's his domain
>> user's passwords being sent around in clear text). I guess that means you
>> could enforce it on per-server basis, but that was never meant as a
>> "feature"
>>
>> I second Joe's concern -- why would you want to enforce this for some
>> servers, but not others? Kinda beats the purpose, if you ask me.
>
> Note that integrity and confidentiality on SASL buffers using the
> Kerberos session key is just as effective as TLS at securing data (and
> of course passwords are not passed around when using Kerberos). So I
> hope that the various channel security settings are used such that
> they do not over zealously exclude clients that use Kerberos rather
> than TLS to secure the data. Our Plexcel product doesn't do TLS since
> we can use the Kerberos session key for integrity and confidentiality
> and I would rather not drag TLS code into our libraries if it's not
> necessary.
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| JefTek
Posts:48
| | 02/19/2008 2:41 PM |
| Mike,
Unfortunately in my case, if all my applications supported SASL binds, this would be a non-issue. It's the lack of support, and the usage of simple binds which leave me only SSL as a recourse for security I'm afraid.
An example of this is the need for the Proxy Bind capabilities of adam to do account aggregation, which requires a simple bind to function.
some background is found here: http://www.jeftek.com/iam/directory-services/adam-userproxy-and-sidhistory-not-always-what-you-expected/
Thanks!
Jef Kazimer ------- http://www.jeftek.com
> Date: Tue, 19 Feb 2008 01:57:21 -0500> From: ioplex@gmail.com> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?> > On 2/19/08, Dmitri Gavrilov <dmitrig@microsoft.com> wrote:> > FWIW, the registry setting for secure proxy binds was put in place so that a domain admin could enforce the setting for all ADAM instances running in his domain, through a registry GPO (after all, it's his domain user's passwords being sent around in clear text). I guess that means you could enforce it on per-server basis, but that was never meant as a "feature" > >> > I second Joe's concern -- why would you want to enforce this for some servers, but not others? Kinda beats the purpose, if you ask me.> > Note that integrity and confidentiality on SASL buffers using the> Kerberos session key is just as effective as TLS at securing data (and> of course passwords are not passed around when using Kerberos). So I> hope that the various channel security settings are used such that> they do not over zealously exclude clients that use Kerberos rather> than TLS to secure the data. Our Plexcel product doesn't do TLS since> we can use the Kerberos session key for integrity and confidentiality> and I would rather not drag TLS code into our libraries if it's not> necessary.> > Mike> > -- > Michael B Allen> PHP Active Directory SPNEGO SSO> http://www.ioplex.com/> List info : http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ma/default.aspx
| | | |
| ioplex
Posts:0
| | 02/19/2008 6:28 PM |
| Jef,
I'm not saying clients should not use SSL. I'm saying servers
shouldn't require *only* SSL if clients support integrity and
confidentiality.
I wish I knew what the exact channel security configuration options
were so that I could provide more specific advice. Hopefully there are
options like "Do not permit plain text password authentication on LDAP
connections" and "LDAP connections require integrity checking" and
"LDAP connections require encryption" and NOT "LDAP connections
require SSL / TLS".
As Joe points out, this may not be possible with ADAM but for AD our
product uses Kerberos integrity and confidentiality but not SSL and
I'm hopeing that I don't have to support SSL simply because admins are
trying to block plain text password authentication from crappy apps.
Mike
On 2/19/08, Jef Kazimer <jef@jeftek.com> wrote:
>
> Mike,
>
> Unfortunately in my case, if all my applications supported SASL binds,
> this would be a non-issue. It's the lack of support, and the usage of
> simple binds which leave me only SSL as a recourse for security I'm afraid.
>
> An example of this is the need for the Proxy Bind capabilities of adam to
> do account aggregation, which requires a simple bind to function.
>
> some background is found here:
> http://www.jeftek.com/iam/directory-services/adam-userproxy-and-sidhistory-not-always-what-you-expected/
>
> Thanks!
>
>
> Jef Kazimer
> -------
> http://www.jeftek.com
>
>
> ________________________________
>
> > Date: Tue, 19 Feb 2008 01:57:21 -0500
> > From: ioplex@gmail.com
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?
> >
> > On 2/19/08, Dmitri Gavrilov <dmitrig@microsoft.com> wrote:
> > > FWIW, the registry setting for secure proxy binds was put in place so
> that a domain admin could enforce the setting for all ADAM instances running
> in his domain, through a registry GPO (after all, it's his domain user's
> passwords being sent around in clear text). I guess that means you could
> enforce it on per-server basis, but that was never meant as a "feature"
> > >
> > > I second Joe's concern -- why would you want to enforce this for some
> servers, but not others? Kinda beats the purpose, if you ask me.
> >
> > Note that integrity and confidentiality on SASL buffers using the
> > Kerberos session key is just as effective as TLS at securing data (and
> > of course passwords are not passed around when using Kerberos). So I
> > hope that the various channel security settings are used such that
> > they do not over zealously exclude clients that use Kerberos rather
> > than TLS to secure the data. Our Plexcel product doesn't do TLS since
> > we can use the Kerberos session key for integrity and confidentiality
> > and I would rather not drag TLS code into our libraries if it's not
> > necessary.
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| joe
Posts:84
| | 02/19/2008 7:03 PM |
| Wow, I never really thought of trying something like that. Weird indeed.
Perhaps so weird that you should have never mentioned it in writing.
Can you do fast concurrent bind using that same technique? I guess I
wouldn't see why not.
Joe K.
----- Original Message -----
From: "Dmitri Gavrilov" <dmitrig@microsoft.com>
To: <ActiveDir@mail.activedir.org>
Sent: Tuesday, February 19, 2008 11:01 AM
Subject: RE: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?
Strictly speaking, you can get sign/seal if you first do a secure bind using
a windows cred, followed by a simple proxy bind. But that is too weird. SSL
is the "normal" way to go.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| joe
Posts:84
| | 02/20/2008 12:21 PM |
| Just to be clear, the settings being discussed on this thread are the
ability to limit LDAP simple bind to require a secure channel and the
ability to limit proxy bind specifically to a secure channel. Proxy binds
are always simple binds as well, so you can think of that as a special case
of simple bind for a specific type of object.
As such, these settings don't affect any SASL bind mechanisms and as such
should not have an effect on your product. I'm guessing that you guys don't
have much to do with ADAM or ADAM users in general if your specialization is
with Kerberos auth integration since ADAM users and bind proxies don't
support Kerberos auth.
There is no need to apply these types of security restrictions to SASL binds
in general and Kerberos specifically because they implement "real"
authentication protocols and don't use plaintext creds on the network. The
threat related to plaintext creds on the network is what we are trying to
mitigate here.
A setting like this applied to AD would still relate to simple binds.
Because AD supports both simple bind and SASL bind out of the box, it makes
sense to have a way to prevent simple binds from being accepted on an
unencrypted channel there too.
Joe K.
----- Original Message -----
From: "Michael B Allen" <ioplex@gmail.com>
To: <ActiveDir@mail.activedir.org>
Sent: Tuesday, February 19, 2008 5:26 PM
Subject: Re: [ActiveDir] LDAP over SSL/TLS: How secure is your Directory?
> Jef,
>
> I'm not saying clients should not use SSL. I'm saying servers
> shouldn't require *only* SSL if clients support integrity and
> confidentiality.
>
> I wish I knew what the exact channel security configuration options
> were so that I could provide more specific advice. Hopefully there are
> options like "Do not permit plain text password authentication on LDAP
> connections" and "LDAP connections require integrity checking" and
> "LDAP connections require encryption" and NOT "LDAP connections
> require SSL / TLS".
>
> As Joe points out, this may not be possible with ADAM but for AD our
> product uses Kerberos integrity and confidentiality but not SSL and
> I'm hopeing that I don't have to support SSL simply because admins are
> trying to block plain text password authentication from crappy apps.
>
> Mike
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|