0

I'm wanting to setup secure LDAP authentication with an external service provider. The end user currently uses unsecured LDAP to the service provider. The service provider admits they way it had been originally implemented exposes credentials via packet capture.

I've reviewed: https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority

Their local domain is a *.local. The product manufacturer requires an SSL certificate that is signed by a valid certificate authority. This is good. I can create an SSL cert for the domain, but it won't match that the Directory Service has.

I'm not sure exactly how the external auth is presented to the LDAP server, if it's just passing the user name with domain name appended or if it verifies the LDAP server first.

Questions - Do I need to rename the domain to match? Would adding a UPN suffix allow for a work-around?

Edit: External access through the Internet is required, thus the desire to secure LDAP.

Update text for clarity

Improve this question
3
  • 1
    Does the service provider allow you to provide ANY certificate or must it be signed by a third party? Does the service provider require a name on the certificate that maches the name of the domain? You can certainly do a .local using an internal CA with whatever other SANs are required. Do you currently have Exchange in your forest? If so that will block any attempt to rename a domain/forest . Any certificate you use will have to be trusted by your domain clients, and use the FQDN of the domain, as well. A UPN Suffix will most not help you in this scenario. Commented Dec 23, 2019 at 22:07
  • @Semicolon - thank you for your input. Provider says it must be signed by a valid certification authority. I take that as as third party/public, not an internal CA. No Exchange - that was retired this year. Commented Dec 23, 2019 at 23:20
  • Renaming a forest ist usually a very longlasting pain in the ass and I would avoid it at (nearly) all costs. What exacty ist "Their local domain"? The clients AD or the providers service? It wouldn't make sende, if the provider asks you for a certificate for a .local domain ... Commented Jan 10, 2020 at 14:06

1 Answer 1

Reset to default
1

Put a TLS proxy in between (for example HAProxy in TCP mode) and publish it with a proper DNS name (for example ldap.mycompany.com) and certificate.

Backend LDAP traffic can still be plaintext or use internal name (.local) with self-signed or internal CA certificate.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.