I'm struggling with the need for SSL...
We will use our new LDAP for apps. These servers are all locally housed so each app server will talk to the LDAP server over our network. (why) Would we need SSL?
What about for mail services? It seems to me that our mail server would also talk directly to the LDAP server...what am I missing here that dictates the use of SSL with LDAP? I could see if one had their LDAP open to be accessible direct access from off-network. Perhaps SSL is used simply as a means to authenitcate?
Kevin
SSL is primarily designed to encrypt the data 'on the wire'. Certs and cert authorities are designed to try bring some level of trust that you are talking to the server you intend to be talking to.
If your network is secure then there's likely little 'need', per se, for SSL - but anyone on the network can do a network packet capture and catch the mailbox user login and app logins - which is not a good idea.
If you're doing this for work and paying users: encrypt the data on the wire.
If you're just monkeying around at home: shave whatever corners you want, but learning SSL is important so take the time.
TL;DR: Use SSL.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 1501 4th Ave | Suite 2500 | Seattle, WA 98101 direct 206.839.8245 | cell 206.601.3256 | fax 206.644.0628 email mailto:chris.jacobs@apollogrp.edu
________________________________ From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Mon Sep 26 07:18:00 2011 Subject: LDAP and SSL
I'm struggling with the need for SSL...
We will use our new LDAP for apps. These servers are all locally housed so each app server will talk to the LDAP server over our network. (why) Would we need SSL?
What about for mail services? It seems to me that our mail server would also talk directly to the LDAP server...what am I missing here that dictates the use of SSL with LDAP? I could see if one had their LDAP open to be accessible direct access from off-network. Perhaps SSL is used simply as a means to authenitcate?
Kevin
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Our network is secure. It's internal, except for the VPN. Access to these apps, even the web-based ones, is blocked by the firewall to outside and other vlans. This LDAP is for company/internal use, not for paying users.
In the "monkeying around" at home I have setup my test systems with SSL, and I am learning it...just wondering if in a production environment we would need the extra layer of security, complexity and overhead.
Thanks for the help!
-----Original Message----- From: Chris Jacobs Chris.Jacobs@apollogrp.edu To: 'criderkevin@aol.com' criderkevin@aol.com; 'openldap-technical@openldap.org' openldap-technical@openldap.org Sent: Mon, Sep 26, 2011 10:28 am Subject: Re: LDAP and SSL
SSL is primarily designed to encrypt the data 'on the wire'. Certs and cert authorities are designed to try bring some level of trust that you are talking to the server you intend to be talking to.
If your network is secure then there's likely little 'need', per se, for SSL - but anyone on the network can do a network packet capture and catch the mailbox user login and app logins - which is not a good idea.
If you're doing this for work and paying users: encrypt the data on the wire.
If you're just monkeying around at home: shave whatever corners you want, but learning SSL is important so take the time.
TL;DR: Use SSL.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 1501 4th Ave | Suite 2500 | Seattle, WA 98101 direct 206.839.8245 | cell 206.601.3256 | fax 206.644.0628 email mailto:chris.jacobs@apollogrp.edu
From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Mon Sep 26 07:18:00 2011 Subject: LDAP and SSL
I'm struggling with the need for SSL...
We will use our new LDAP for apps. These servers are all locally housed so each app server will talk to the LDAP server over our network. (why) Would we need SSL?
What about for mail services? It seems to me that our mail server would also talk directly to the LDAP server...what am I missing here that dictates the use of SSL with LDAP? I could see if one had their LDAP open to be accessible direct access from off-network. Perhaps SSL is used simply as a means to authenitcate?
Kevin
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On Mon, Sep 26, 2011 at 3:58 PM, criderkevin@aol.com wrote:
Our network is secure. It's internal, except for the VPN. Access to these apps, even the web-based ones, is blocked by the firewall to outside and other vlans. This LDAP is for company/internal use, not for paying users.
Most successful attacks come from inside the network AFAIK.
In the "monkeying around" at home I have setup my test systems with SSL, and I am learning it...just wondering if in a production environment we would need the extra layer of security, complexity and overhead.
Thanks for the help!
-----Original Message----- From: Chris Jacobs Chris.Jacobs@apollogrp.edu To: 'criderkevin@aol.com' criderkevin@aol.com; 'openldap-technical@openldap.org' openldap-technical@openldap.org Sent: Mon, Sep 26, 2011 10:28 am Subject: Re: LDAP and SSL
SSL is primarily designed to encrypt the data 'on the wire'. Certs and cert authorities are designed to try bring some level of trust that you are talking to the server you intend to be talking to.
If your network is secure then there's likely little 'need', per se, for SSL
- but anyone on the network can do a network packet capture and catch the
mailbox user login and app logins - which is not a good idea.
If you're doing this for work and paying users: encrypt the data on the wire.
If you're just monkeying around at home: shave whatever corners you want, but learning SSL is important so take the time.
TL;DR: Use SSL.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 1501 4th Ave | Suite 2500 | Seattle, WA 98101 direct 206.839.8245 | cell 206.601.3256 | fax 206.644.0628 email mailto:chris.jacobs@apollogrp.edu ________________________________ From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Mon Sep 26 07:18:00 2011 Subject: LDAP and SSL
I'm struggling with the need for SSL...
We will use our new LDAP for apps. These servers are all locally housed so each app server will talk to the LDAP server over our network. (why) Would we need SSL?
What about for mail services? It seems to me that our mail server would also talk directly to the LDAP server...what am I missing here that dictates the use of SSL with LDAP? I could see if one had their LDAP open to be accessible direct access from off-network. Perhaps SSL is used simply as a means to authenitcate?
Kevin
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Ayup. As a SysAdmin or SysEngineer your duty is to protect data - which is usually protected by username and password pairs - so do everything you can to protect those - especially from curious people wondering 'what does wireshark do' or worse, wondering 'what is [Kevin's/Kevin's Boss/etc] password'.
You don't need SSL while you're building up and testing - leave it out for simplicities sake - but when it comes time for 'real' data, have SSL ready.
Really, it's not hard to do, nor very complicated. If you lack some knowledge on how it's done, don't give up - what you learn will be worth it. Small effort -> a lot of security.
- chris
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Mauricio Tavares Sent: Monday, September 26, 2011 1:52 PM To: openldap-technical Subject: Re: LDAP and SSL
On Mon, Sep 26, 2011 at 3:58 PM, criderkevin@aol.com wrote:
Our network is secure. It's internal, except for the VPN. Access to these apps, even the web-based ones, is blocked by the firewall to outside and other vlans. This LDAP is for company/internal use, not for paying users.
Most successful attacks come from inside the network AFAIK.
In the "monkeying around" at home I have setup my test systems with SSL, and I am learning it...just wondering if in a production environment we would need the extra layer of security, complexity and overhead.
Thanks for the help!
-----Original Message----- From: Chris Jacobs Chris.Jacobs@apollogrp.edu To: 'criderkevin@aol.com' criderkevin@aol.com; 'openldap-technical@openldap.org' openldap-technical@openldap.org Sent: Mon, Sep 26, 2011 10:28 am Subject: Re: LDAP and SSL
SSL is primarily designed to encrypt the data 'on the wire'. Certs and cert authorities are designed to try bring some level of trust that you are talking to the server you intend to be talking to.
If your network is secure then there's likely little 'need', per se, for SSL
- but anyone on the network can do a network packet capture and catch the
mailbox user login and app logins - which is not a good idea.
If you're doing this for work and paying users: encrypt the data on the wire.
If you're just monkeying around at home: shave whatever corners you want, but learning SSL is important so take the time.
TL;DR: Use SSL.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 1501 4th Ave | Suite 2500 | Seattle, WA 98101 direct 206.839.8245 | cell 206.601.3256 | fax 206.644.0628 email mailto:chris.jacobs@apollogrp.edu ________________________________ From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Mon Sep 26 07:18:00 2011 Subject: LDAP and SSL
I'm struggling with the need for SSL...
We will use our new LDAP for apps. These servers are all locally housed so each app server will talk to the LDAP server over our network. (why) Would we need SSL?
What about for mail services? It seems to me that our mail server would also talk directly to the LDAP server...what am I missing here that dictates the use of SSL with LDAP? I could see if one had their LDAP open to be accessible direct access from off-network. Perhaps SSL is used simply as a means to authenitcate?
Kevin
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On 26/09/2011 21:58, criderkevin@aol.com wrote:
Our network is secure. It's internal, except for the VPN. Access to these apps, even the web-based ones, is blocked by the firewall to outside and other vlans. This LDAP is for company/internal use, not for paying users.
In the "monkeying around" at home I have setup my test systems with SSL, and I am learning it...just wondering if in a production environment we would need the extra layer of security, complexity and overhead.
Thanks for the help!
So you are thrusting that no one of your users will not just start ettercap and capture all the passwords he wants.
That's your choice, but in my opinion is not a good one.
Regards Simone
I'm struggling with the need for SSL...
We will use our new LDAP for apps. These servers are all locally housed so each app server will talk to the LDAP server over our network. (why) Would we need SSL?
What about for mail services? It seems to me that our mail server would also talk directly to the LDAP server...what am I missing here that dictates the use of SSL with LDAP? I could see if one had their LDAP open to be accessible direct access from off-network. Perhaps SSL is used simply as a means to authenitcate?
Kevin
Kevin, you absolutely dont need to use SSL and noone force you to use secure channels, so... i'm bit confused with your question. What's the problem?
On 26/09/11 10:18 -0400, criderkevin@aol.com wrote:
I'm struggling with the need for SSL...
We will use our new LDAP for apps. These servers are all locally housed so each app server will talk to the LDAP server over our network. (why) Would we need SSL?
What about for mail services? It seems to me that our mail server would also talk directly to the LDAP server...what am I missing here that dictates the use of SSL with LDAP? I could see if one had their LDAP open to be accessible direct access from off-network. Perhaps SSL is used simply as a means to authenitcate?
If you're performing TLS authentication, using client certificates, via STARTTLS, then using X.509 provides for a strong authentication mechanism using SASL (EXTERNAL).
That's the one benefit that I know of beyond the obvious session based encryption that you obtain using certificates.
On 9/26/2011 11:33, Dan White wrote:
On 26/09/11 10:18 -0400, criderkevin@aol.com wrote:
I'm struggling with the need for SSL...
We will use our new LDAP for apps. These servers are all locally housed so each app server will talk to the LDAP server over our network. (why) Would we need SSL?
What about for mail services? It seems to me that our mail server would also talk directly to the LDAP server...what am I missing here that dictates the use of SSL with LDAP? I could see if one had their LDAP open to be accessible direct access from off-network. Perhaps SSL is used simply as a means to authenitcate?
If you're performing TLS authentication, using client certificates, via STARTTLS, then using X.509 provides for a strong authentication mechanism using SASL (EXTERNAL).
That's the one benefit that I know of beyond the obvious session based encryption that you obtain using certificates.
The tls/ssl also protects against packet interception, which while it may seem obvious that noone can or will, I assure you someone could and might.
openldap-technical@openldap.org
-
Andrey A. Konovalov -
Chris Jacobs -
Christ Schlacta -
criderkevin@aol.com -
Dan White -
Mauricio Tavares -
Simone Piccardi