Re: enable LDAP-SSL without a root-CA
From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 08/11/02
- Next message: Rodney: "Re: EFS"
- Previous message: Paul T Wang: "Re: Changed Password, Added Account and now locked out of Win 2k Professional"
- In reply to: David Cross [MS]: "Re: enable LDAP-SSL without a root-CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joe Richards [MVP]" <humorexpress@hotmail.com> Date: Sun, 11 Aug 2002 17:33:30 -0400
Not sure dude, I wasn't overly involved with it. They wanted certs on the
DC's for secure SSL password changes from UNIX sources and we don't use MS
CA. They started looked looking long and hard for something and came up with
something from verisign. They came to me with and said it would be $1000+
per DC (we have almost 400 DC's) and would require ridiculously painful
installation instructions including sitting on the phone with verisign for
each one. I said we wouldn't do it, if they needed Certs for the DC's they
needed to set up an MS CA and and make everything automagic or don't bother,
I have enough headaches keeping the 250k users running normally let alone
bog the DC's down with a bunch of SSL traffic.
-- Joe Richards www.joeware.net --- "David Cross [MS]" <vaq130@hotmail.com> wrote in message news:eS30gTMQCHA.2652@tkmsftngp10... > That sounds ridiculous. You need a cert that chains to a trusted root on > both the server and the client. The net-net is you need a root CA to start > the hierarchy, anything less would not be secure. > > -- > > > David B. Cross [MS] > > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > > http://support.microsoft.com > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:evPZEsHQCHA.2664@tkmsftngp10... > > Some folks in our security group started talking to verisign about this > and > > I believe they found a way but it was very costly because verisign had to > do > > some very strange things to make this work. > > > > -- > > Joe Richards > > www.joeware.net > > --- > > > > "Igor Ybema" <i.ybema@civ.utwente.nl> wrote in message > > news:airfdt$19e$1@netlx020.civ.utwente.nl... > > > Is it possible to enable SSL over LDAP in windows 2000 without > installing > > a > > > enterprise root-CA? > > > > > > According to MS-article Q247078 you need to install an Enterprise CA and > > > allow all domain controllers to receive a certificate automatically. In > > our > > > test-environment this works. After that we can use LDAPS in this > > > test-enviroment to update passwords, make accounts etc. Now we need to > use > > > LDAPS in our production environment but we still have to decide how our > > > CA-hierachy will look like. So we cant install a enterprise-CA yet and > we > > > can not wait for this. Is it somehow possible to use temporary self > signed > > > certificates to enable SSL over LDAP on one server? > > > > > > regards, > > > > > > Igor Ybema, University of Twente, Enschede, the Netherlands > > > > > > > > > > > > > > > > > > > > >
- Next message: Rodney: "Re: EFS"
- Previous message: Paul T Wang: "Re: Changed Password, Added Account and now locked out of Win 2k Professional"
- In reply to: David Cross [MS]: "Re: enable LDAP-SSL without a root-CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
