Comments on: LDAP over SSL/TLS: How secure is your Directory? http://jeftek.com/195/ldap-over-ssltls-how-secure-is-your-directory/#utm_source=rss&utm_medium=rss&utm_campaign=ldap-over-ssltls-how-secure-is-your-directory Gadgets, Directory Services, Identity Management, and overall Geekery Sat, 04 Feb 2012 18:05:20 +0000 hourly 1 By: Lotus Domino LDAP SS http://jeftek.com/195/ldap-over-ssltls-how-secure-is-your-directory/#comment-198 Lotus Domino LDAP SS Wed, 02 Apr 2008 01:08:30 +0000 http://jeftek.com/wp/?p=195#comment-198 <strong>RE: LDAP over SSL/TLS: How secure is your Directory?</strong> Pingback from Lotus Domino LDAP SSL certificate issue : JefTek.com RE: LDAP over SSL/TLS: How secure is your Directory?

Pingback from Lotus Domino LDAP SSL certificate issue : JefTek.com

]]> By: Eric Huebner http://jeftek.com/195/ldap-over-ssltls-how-secure-is-your-directory/#comment-197 Eric Huebner Tue, 19 Feb 2008 20:39:00 +0000 http://jeftek.com/wp/?p=195#comment-197 You can use public certificates from VeriSign and the like and it is a lot less of a problem since most Certificate Clients include the base certificates for public authorities like VeriSign. Some of the hardest challenges with LDAP come in two areas: 1) Responses 2) Availability In #1, LDAP is the "ODBC of the Directory." It doesn't care if your account is disabled, locked out, password expired or the like. The response is a binary pass/fail and no inkling about why your account is not 100% good to go without a lot of custom code. #2, LDAP is not inherently fault tolerant. You're only availability option is IP Load balancing in either hardware or software using persistent “sticky” connections since LDAP is connection oriented. Your application must also be able to handle an unexpected disconnection by checking for errors on every transaction. Bind/Unbind Session creation and tear down is expensive but long lasting connections to the directory are more likely to timeout or to be lost due to network and server conditions. Plus, you will have some fun crafting certificates that the OS will accept and recognize as well as contain the DNS alias name for you virtual, load balancer. Oh, and the SSL cert MUST be on the ADAM server if you intend on changing passwords as ADAM won't recognize the SSL connection if it is on the load balancer. Of course in the end, the key question is if the application is using SSL between it and the user. :-) You can use public certificates from VeriSign and the like and it is a lot less of a problem since most Certificate Clients include the base certificates for public authorities like VeriSign.
Some of the hardest challenges with LDAP come in two areas:
1) Responses
2) Availability
In #1, LDAP is the "ODBC of the Directory." It doesn't care if your account is disabled, locked out, password expired or the like. The response is a binary pass/fail and no inkling about why your account is not 100% good to go without a lot of custom code.
#2, LDAP is not inherently fault tolerant. You're only availability option is IP Load balancing in either hardware or software using persistent “sticky” connections since LDAP is connection oriented. Your application must also be able to handle an unexpected disconnection by checking for errors on every transaction. Bind/Unbind Session creation and tear down is expensive but long lasting connections to the directory are more likely to timeout or to be lost due to network and server conditions. Plus, you will have some fun crafting certificates that the OS will accept and recognize as well as contain the DNS alias name for you virtual, load balancer. Oh, and the SSL cert MUST be on the ADAM server if you intend on changing passwords as ADAM won't recognize the SSL connection if it is on the load balancer.
Of course in the end, the key question is if the application is using SSL between it and the user. :-)

]]> By: Serkan Varoglu http://jeftek.com/195/ldap-over-ssltls-how-secure-is-your-directory/#comment-196 Serkan Varoglu Mon, 18 Feb 2008 17:03:00 +0000 http://jeftek.com/wp/?p=195#comment-196 I agree too but as you said PKI is a huge drawback when you think about a huge network. I know ppl does say "well it is easy to get certs to all". Yeah but it needs a very good planning. I agree too but as you said PKI is a huge drawback when you think about a huge network. I know ppl does say "well it is easy to get certs to all". Yeah but it needs a very good planning.

]]> By: Joe Kaplan http://jeftek.com/195/ldap-over-ssltls-how-secure-is-your-directory/#comment-495 Joe Kaplan Fri, 15 Feb 2008 02:56:00 +0000 http://jeftek.com/wp/?p=195#comment-495 I totally agree. Use SSL! One thing that is nice is that you can actually disable the ability to do unsecure simple binds on AD and ADAM. I have a post about this regarding ADAM here: <a href="http://www.joekaplan.net/ADAMCanBeForcedToOnlyAllowSimpleBindOnASecureChannel.aspx" rel="nofollow"> <a href="http://www.joekaplan.net/.../ADAMCanBeForced</a>" target="_blank">www.joekaplan.net/.../ADAMCanBeForced I totally agree. Use SSL! One thing that is nice is that you can actually disable the ability to do unsecure simple binds on AD and ADAM. I have a post about this regarding ADAM here:
<a href="http://www.joekaplan.net/…/ADAMCanBeForced” target=”_blank”>www.joekaplan.net/…/ADAMCanBeForced

]]>