LDAP over SSL

Question

Hi,

I am using a Firewall which advises to configure LDAP over SSL in Windows Server. Currently every credentials passes in plaintext from Firewall to AD. Say if I configure the AD for LDAP over SSL and if something goes wrong such that I am not able to use it in my Firewall, will I be able to use Plaintext credentials as it was originally. ? OR it will also disturb the same ?

Please advise!

Answer 1

Hi there,

Choosing LDAP will not disturb anything. Only LDAP data transfers are exposed. Other authentication or authorization data using Kerberos, SASL, and even NTLM have their own encryption systems.

Reasons for enabling Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) / Transport Layer Security (TLS) also known as LDAPS include:

-Some applications authenticate with Active Directory Domain Services (AD DS) through simple BIND. As simple BIND exposes the users’ credentials in clear text, the use of Kerberos is preferred. If simple BIND is necessary, using SSL/TLS to encrypt the authentication session is strongly recommended.
-Use of proxy binding or password change over LDAP, which requires LDAPS. (e.g. Bind to an AD LDS Instance Through a Proxy Object Jump )
-Some applications that integrate with LDAP servers (such as Active Directory or Active Directory Domain Controllers) require encrypted communications.

Enable LDAP over SSL with a third-party certification authority https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority

LDAP over SSL (LDAPS) Certificate https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx#Reasons_for_Enabling_LDAPS

--------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–