Active_Directory [SOLVED]: Securing OpenLDAP and AD
December 10, 2017 at 2:56 am #35324
We are using OpenLDAP server as a proxy to AD by adding AD as subordinate to OpenLDAP.
I’ve secured OpenLDAP traffic by using StartTLS connection, Now I’ve been told to use LDAPS protocol for the bind which we do to connect to AD Server(We are using simple bind).
So my question was, Is it necessary to use LDAPS for communication with AD as OpenLDAP is already using StartTLS?
I don’t have much knowledge about OpenLDAP and AD so just wanted the suggestions.
I’ve used below configuration for adding backend ldap[Lightweight Directory Access Protocol (Proxy) backend] database.
dn: olcDatabase=ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: ldap olcSuffix: ou=xyz,dc=xyz,dc=xyz olcSubordinate: TRUE olcAccess: to dn.subtree="ou=xyz,dc=xyz,dc=xyz" by * read olcAddContentAcl: FALSE olcLastMod: FALSE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcDbURI: "ldap://xx.xx.xx.xx" olcDbStartTLS: none starttls=no olcDbACLBind: bindmethod=simple timeout=0 network-timeout=0 binddn="cn=xyz,ou=xyz,dc=xyz,dc=xyz" credentials="xxxxxxxxxxxxxxxxxxxxxx" olcDbIDAssertBind: mode=legacy flags=prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0 network-timeout=0 binddn="cn=xyz,ou=xyz,dc=xyz,dc=xyz" credentials="xxxxxxxxxxxxxxxxxxxxxx" olcDbRebindAsUser: TRUE olcDbChaseReferrals: TRUE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSEDecember 10, 2017 at 2:56 am #35325
LDAP simple binds that are not protected by SSL/TLS are very insecure, as it involves sending username and password credentials in clear-text over the network.
LDAP simple binds are acceptable only over SSL/TLS/LDAPS.
All you have to do to enable LDAPS on an Active Directory domain controller is install a suitable certificate with private key on the AD domain controller:
Be sure and read the requirements section of the article above to see what constitutes an acceptable certificate.
Once you’ve installed an acceptable certificate on the domain controller, Active Directory will automatically sense its presence and enable LDAPS over port 636.
You may source the certificate from any Certification Authority you wish, as long as it is trusted by all parties who will participate in the communication. It can be an existing AD-integrated PKI, or it can be a non-Microsoft CA on your corporate network, or it may even be a public, globally-trusted CA like Godaddy, Symantec, etc., as long as it is capable of producing a certificate that meets the requirements:
- The LDAPS certificate is located in the Local Computer’s Personal certificate store (programmatically known as the computer’s MY certificate store).
- A private key that matches the certificate is present in the Local Computer’s store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
- The Enhanced Key Usage extension includes the Server Authentication (18.104.22.168.22.214.171.124.1) object identifier (also known as OID).
- The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
- The Common Name (CN) in the Subject field.
- DNS entry in the Subject Alternative Name extension.
- The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
- You must use the Schannel cryptographic service provider (CSP) to generate the key.
(Technically, it may even be a self-signed certificate, though this isn’t a secure solution.)
Once you install this certificate, the domain controller will automatically enable LDAPS service on port 636. (And global catalog service on 3269.)
So far I have only described LDAPS but not specifically StartTLS.
You may use startTLS against a Microsoft LDAP server if you wish:
It doesn’t require any additional configuration on the server. It just involves the client sending the correct LDAP controls (commands) to the server. (The control OID for startTLS is “126.96.36.199.4.1.1466.20037”.)
Author: Ryan Ries
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
You must be logged in to reply to this topic.