![]() LDAPS allows for the encryption of LDAP data (which includes user credentials) in transit during any communication with the LDAP server (like a directory bind), thereby protecting against credential theft. LDAPS isn’t a fundamentally different protocol: it’s the same old LDAP, just packaged differently. What’s the Difference Between LDAP and LDAPS? LDAP is one of the protocols that many on-prem apps and other resources use to authenticate users against a core directory like AD or OpenLDAP. However, while much of AD’s functionality is built on LDAP, they’re not one and the same – in fact, AD leverages a proprietary version of Kerberos more often than LDAP to authenticate user access. LDAP (Lightweight Directory Access Protocol) is sometimes used as a synonym or shorthand for Microsoft Active Directory itself. Let’s take a closer look at the LDAP protocol, what makes LDAPS and STARTTLS secure, and how to implement a secure authentication process for legacy applications. The process can be cumbersome and time consuming, but it’s doable – and, now more than ever, mandatory. Switching from LDAP to LDAPS involves a close look at your directory service events log, manually identifying and switching the ports that legacy apps are using to bind to the directory, extracting CA (Certificate Authority) certificates to create the secure bind, and continued monitoring. (Note that “LDAPS” is often used to denote LDAP over SSL, STARTTLS, and a Secure LDAP implementation). LDAPS (LDAP over SSL) and STARTTLS (LDAP over TLS) are both secure versions of LDAP that encrypt the authentication process. You may have heard that you need to configure legacy third-party apps to use Secure LDAP instead of clear-text LDAP. With more remote and hybrid environments, LDAP authentications are more often crossing the public internet, thereby requiring additional security mechanisms. Though these traditional LDAP binds were relatively harmless within the fortified LANs of yesteryear, modern security baselines require encryption of all user credentials in transit to protect against password sniffing and other forms of credential theft. Legacy application configurations may still use clear-text LDAP for some directory binds in a local environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |