none
Impacts by activating ldaps on Active Directory

    Question

  • Hi gents,


    In order to provide Self Password Reset on the VPN Gateway (Fortinet) for our supplier (we just provide them an AD account), we have been asked the following:


    "password-renewal allows FortiOS to perform the online LDAP password renewal operations the LDAP server expects. When changing passwords on a Windows AD system, the connection must be SSL-protected"


    Which means that we should activate ldaps.


    Our configuration is really simple, single-forest, single-domain, but we would like to measure the impacts into production.


    We have some doubts, can they coexist (the ldap ones and ldaps ones) ? do you have any feedbacks?


    Thanks for your help.

    Thursday, March 9, 2017 5:40 PM

Answers

  • LDAPS uses different ports, 636 and for GC searches 3269, compared to 389 and 3268 for normal LDAP. The other requirement would be having Certificates ,which means, you need to be on top of monitoring the certificate expirations, or better if your PKI environment has auto-renewal mechanism that will be the best option.

    Secondly the impact you need to be aware of is that, you need to have the certificate chain available in the machines that are trying to connect to the LDAP server. Suppose i do not have the certificate chain in my machine and i connect to the LDAP Server (domain controller), that would fail as the cert check fails.

    Also be aware of Sha1 vs Sha2 and try to go for Sha2 certificates as Sha1 is totally obsolete or unsupported (security issues) now.

    Thursday, March 9, 2017 6:43 PM

All replies

  • Hi Jerome,

    yes - they can coexist. There is no expected functionality impact. One potential impact could be performance - more at http://windowsitpro.com/active-directory/q-does-using-ldap-encrypted-ssl-ldaps-change-performance-significantly

    hth
    Marcin


    Thursday, March 9, 2017 6:04 PM
  • LDAPS uses different ports, 636 and for GC searches 3269, compared to 389 and 3268 for normal LDAP. The other requirement would be having Certificates ,which means, you need to be on top of monitoring the certificate expirations, or better if your PKI environment has auto-renewal mechanism that will be the best option.

    Secondly the impact you need to be aware of is that, you need to have the certificate chain available in the machines that are trying to connect to the LDAP server. Suppose i do not have the certificate chain in my machine and i connect to the LDAP Server (domain controller), that would fail as the cert check fails.

    Also be aware of Sha1 vs Sha2 and try to go for Sha2 certificates as Sha1 is totally obsolete or unsupported (security issues) now.

    Thursday, March 9, 2017 6:43 PM
  • Thanks for your help guys!
    Friday, March 10, 2017 10:28 AM