0

I am looking to implement a self help password management system, I have found this:

http://code.google.com/p/pwm/

I have a test server setup but constantly fail to get it to read AD with the test user accounts that we have in use. The only thing that we have left now and what a lot of the forums mention is that the connection between this server and the AD LDAP needs to be secure (SSL).

As I understand it we need to implement a certificate on one of the DCs in the domain and the one that the password server would query it on port 636. Having never implemented this I am a bit concerned over what effect this would have on the reading of AD by the computers and the user accounts that are in use.

If I implement one certificate on one server does it only affect that server or does the whole of AD become secure, do clients continue to communicate in unsecure move and it will only be the password management server that communicates in SSL. I have scoured many articles on the internet but cannot come up with a definite answer and I'm at a halt with the implementation as I am concerned it may break something.

MattX
  • 1

1 Answers1

1

This is what test environments are for.

Having said that, generating a certificate for one server only affects that one server. It does not somehow force all servers to use certificate-based authentication.

I assume you're talking about setting up LDAPS, and in that case, it is possible to setup LDAPS and still allow non-secure LDAP connections. That is, in fact the default for setting up LDAPS. Secure connections happen on port 636, and port 389 remains open to service non-secure connections.

However, in addition to this being what test environments are for, I would advise that if you're going to set up certificate-based authentication between one of your DCs and a password server, you might as well set up an enterprise certificate authority.

It's a very minimal extra effort, and will allow you to easily do things like make all your domain computers trust certificates it issues, set up password-less wireless authentication (assuming RADIUS-compliant network devices) and all the other neat things you can do with a proper PKI setup.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • Many thanks for your responce - it only I had a proper test enviroment !! With budget restraints and the amount of work I currently do that is something of a luxery which may never see the light of day. – MattX Mar 26 '13 at 16:55
  • Forgot to state the non-secure connection I have setup reads the AD but when changing the password of a user this is when it falls over as my understanding is that in order to update a password within AD it has to be done in a secure manner. – MattX Mar 26 '13 at 16:57
  • @MattX Should still be fine. You can have the read done unsecured and the change done secured... or both done over the secured connection. Either way, simply allowing LDAPS and installing a certificate should not impact the rest of your environment authenticating non-secured. – HopelessN00b Mar 26 '13 at 17:45