Re: LDAP authentication security ?

---

• From: Pascal <pascal_t@xxxxxxxxxxxxxxxxxx>
• Date: Fri, 07 Dec 2007 15:12:57 +0100

---

Hi Joe,

thank you for your answer.
It is very clear (as most of your interventions here :D).

Actually we don't have any PKI so we will buy a commercial SSL certificates.
You said that both solutions have pros and cons.
Why ? And do you know where I can find the pros and cons of each one ?

Thank you again.

This depends on the application. If the application only supports LDAP simple bind, then you will need an additional security mechanism like SSL/LDAP in order for the credential validation to be secure.

If the application supports SASL bind with either GSS-SPNEGO or DIGEST authentication, then you can use that directly with AD without needing to secure the channel as those authentication mechanisms are already secure without channel encryption.

Simple bind is the authentication mechanism in the LDAP V3 spec and is supported by all LDAP directories. SASL is a mechanism used in LDAP and other places of adding in additional authentication protocols. Not all LDAP servers and clients support all SASL mechanisms, so whether or not you can use SASL depends a great deal on the capabilities of the LDAP client ( the application).

If you need SSL, AD supports SSL LDAP just fine, assuming you get a certificate for your domain controllers. You can either use a Windows CA or procure SSL certificates from an external CA. Either work and both have their pros and cons.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.1c157d7ca0336b3b.70874@xxxxxxxxxxxxxxxxxxxxx

Hi,
(First, sorry for my english ;-))

I would like to use an LDAP authentication with my application (Quality Center). So, the user will have to type his Active Directory username and password BUT the LDAP authentication secured is it secured ?

By default, there is no encryption so the password is transmitted in clear text ?

Do I need to use LDAP Over SSL ?
What is SASL ?

Thank you

-- Pascal

--
Pascal


.

---

• Follow-Ups:
  • Re: LDAP authentication security ?
    • From: Joe Kaplan

• References:
  • LDAP authentication security ?
    • From: Pascal
  • Re: LDAP authentication security ?
    • From: Joe Kaplan

• Prev by Date: Re: Accessing folders owned by another user?
• Next by Date: Re: Network drives show disconnected, sometimes, but still work?
• Previous by thread: Re: LDAP authentication security ?
• Next by thread: Re: LDAP authentication security ?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: LDAP authentication security ? ... I'm actually a big fan of external SSL certs for DCs simply because they are ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Actually we don't have any PKI so we will buy a commercial SSL ... Simple bind is the authentication mechanism in the LDAP V3 spec and is ... (microsoft.public.windows.server.security) Re: LDAP authentication security ? ... Using an internally rooted CA can be less expensive, but it is less easy to get all of the clients to trust your certs issued by this CA, especially in an environment that includes non-Windows machines that can't take advantage of auto enrollment or GPO for distributing trusted roots. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... If the application supports SASL bind with either GSS-SPNEGO or DIGEST authentication, then you can use that directly with AD without needing to secure the channel as those authentication mechanisms are already secure without channel encryption. ... Simple bind is the authentication mechanism in the LDAP V3 spec and is supported by all LDAP directories. ... (microsoft.public.windows.server.security) Re: Recommended strategy for providing access to web apps via Inte ... LDAP is an ugly solution on the public internet, ... These federated authentication protocols are designed to address these ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... (microsoft.public.windows.server.active_directory) Re: Mixed Mode Authentication in .net 2.0 ... Basic auth should be used with SSL. ... authentication should use SSL anyway, ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... (microsoft.public.dotnet.framework.aspnet.security) Re: Recommended strategy for providing access to web apps via Inte ... "Joe Kaplan" wrote: ... opened the firewall up for LDAP, the external entity can execute ANY LDAP ... These federated authentication protocols are designed to address these ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)