[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP and SSL



Ayup.  As a SysAdmin or SysEngineer your duty is to protect data - which is usually protected by username and password pairs - so do everything you can to protect those - especially from curious people wondering 'what does wireshark do' or worse, wondering 'what is [Kevin's/Kevin's Boss/etc] password'.

You don't need SSL while you're building up and testing - leave it out for simplicities sake - but when it comes time for 'real' data, have SSL ready.

Really, it's not hard to do, nor very complicated. If you lack some knowledge on how it's done, don't give up - what you learn will be worth it.  Small effort -> a lot of security.

- chris

-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Mauricio Tavares
Sent: Monday, September 26, 2011 1:52 PM
To: openldap-technical
Subject: Re: LDAP and SSL

On Mon, Sep 26, 2011 at 3:58 PM,  <criderkevin@aol.com> wrote:
> Our network is secure. It's internal, except for the VPN. Access to these
> apps, even the web-based ones, is blocked by the firewall to outside and
> other vlans. This LDAP is for company/internal use, not for paying users.
>
      Most successful attacks come from inside the network AFAIK.

> In the "monkeying around" at home I have setup my test systems with SSL, and
> I am learning it...just wondering if in a production environment we would
> need the extra layer of security, complexity and overhead.
>
> Thanks for the help!
>
>
>
> -----Original Message-----
> From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
> To: 'criderkevin@aol.com' <criderkevin@aol.com>;
> 'openldap-technical@openldap.org' <openldap-technical@openldap.org>
> Sent: Mon, Sep 26, 2011 10:28 am
> Subject: Re: LDAP and SSL
>
> SSL is primarily designed to encrypt the data 'on the wire'. Certs and cert
> authorities are designed to try bring some level of trust that you are
> talking to the server you intend to be talking to.
>
> If your network is secure then there's likely little 'need', per se, for SSL
> - but anyone on the network can do a network packet capture and catch the
> mailbox user login and app logins - which is not a good idea.
>
> If you're doing this for work and paying users: encrypt the data on the
> wire.
>
> If you're just monkeying around at home: shave whatever corners you want,
> but learning SSL is important so take the time.
>
> TL;DR: Use SSL.
>
> - chris
>
>
> Chris Jacobs, Systems Administrator, Technology Services Group
> Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc.
> 1501 4th Ave | Suite 2500 | Seattle, WA 98101
> direct 206.839.8245 | cell 206.601.3256 | fax 206.644.0628
> email mailto:chris.jacobs@apollogrp.edu
> ________________________________
> From: openldap-technical-bounces@OpenLDAP.org
> <openldap-technical-bounces@OpenLDAP.org>
> To: openldap-technical@openldap.org <openldap-technical@openldap.org>
> Sent: Mon Sep 26 07:18:00 2011
> Subject: LDAP and SSL
>
> I'm struggling with the need for SSL...
>
> We will use our new LDAP for apps. These servers are all locally housed so
> each app server will talk to the LDAP server over our network. (why) Would
> we need SSL?
>
> What about for mail services? It seems to me that our mail server would also
> talk directly to the LDAP server...what am I missing here that dictates the
> use of SSL with LDAP? I could see if one had their LDAP open to be
> accessible direct access from off-network. Perhaps SSL is used simply as a
> means to authenitcate?
>
> Kevin
>
>
> ________________________________
> This message is private and confidential. If you have received it in error,
> please notify the sender and remove it from your system.
>
>



This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.