Re: LDAP authentication security ?

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 4 Dec 2007 08:24:53 -0600

This depends on the application. If the application only supports LDAP
simple bind, then you will need an additional security mechanism like
SSL/LDAP in order for the credential validation to be secure.

If the application supports SASL bind with either GSS-SPNEGO or DIGEST
authentication, then you can use that directly with AD without needing to
secure the channel as those authentication mechanisms are already secure
without channel encryption.

Simple bind is the authentication mechanism in the LDAP V3 spec and is
supported by all LDAP directories. SASL is a mechanism used in LDAP and
other places of adding in additional authentication protocols. Not all LDAP
servers and clients support all SASL mechanisms, so whether or not you can
use SASL depends a great deal on the capabilities of the LDAP client ( the
application).

If you need SSL, AD supports SSL LDAP just fine, assuming you get a
certificate for your domain controllers. You can either use a Windows CA or
procure SSL certificates from an external CA. Either work and both have
their pros and cons.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.1c157d7ca0336b3b.70874@xxxxxxxxxxxxxxxxxxxxx

Hi,
(First, sorry for my english ;-))

I would like to use an LDAP authentication with my application (Quality
Center). So, the user will have to type his Active Directory username and
password BUT the LDAP authentication secured is it secured ?

By default, there is no encryption so the password is transmitted in clear
text ?

Do I need to use LDAP Over SSL ?
What is SASL ?

Thank you

--
Pascal

Follow-Ups:
- Re: LDAP authentication security ?
  - From: Pascal

References:
- LDAP authentication security ?
  - From: Pascal

Prev by Date: Re: Normal user logging onto Win2003 Domain Controller?
Next by Date: Re: Network drives show disconnected, sometimes, but still work?
Previous by thread: LDAP authentication security ?
Next by thread: Re: LDAP authentication security ?
Index(es):
- Date
- Thread

Relevant Pages

Re: LDAP authentication security ?
... Using an internally rooted CA can be less expensive, but it is less easy to get all of the clients to trust your certs issued by this CA, especially in an environment that includes non-Windows machines that can't take advantage of auto enrollment or GPO for distributing trusted roots. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... If the application supports SASL bind with either GSS-SPNEGO or DIGEST authentication, then you can use that directly with AD without needing to secure the channel as those authentication mechanisms are already secure without channel encryption. ... Simple bind is the authentication mechanism in the LDAP V3 spec and is supported by all LDAP directories. ...
(microsoft.public.windows.server.security)
Re: Recommended strategy for providing access to web apps via Inte
... "Joe Kaplan" wrote: ... opened the firewall up for LDAP, the external entity can execute ANY LDAP ... These federated authentication protocols are designed to address these ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
(microsoft.public.windows.server.active_directory)
Re: Directory Services, LDAP or similar
... In other projects, we managed the user authentication by creating tables that define all users and its allowed capacities, then the application queryies that data to verify if a user has access to some feature or not. ... The above ID and password are sent to the service at login time. ... They are using Novell eDirectory at the enterprise level; yes it's LDAP. ... We already do that for three different DB servers; ...
(borland.public.delphi.non-technical)
Re: noob on slapd with sasl errors
... If I may share advice based on my own trials & tribulations with LDAP ... people who need network authentication and the current state of ... context of network authentication, LDAP really is just a protocol used ... I have no idea how sasl works and why it is needed here, or even more, ...
(Ubuntu)
Re: Directory Services, LDAP or similar
... we managed the user authentication by creating tables ... The above ID and password are sent to the service at login ... Novell eDirectory at the enterprise level; yes it's LDAP. ... servers; ...
(borland.public.delphi.non-technical)