I have recently set up LDAP as my Unknown User Policy database. It works well thanks to the 4.2 Build 24 Patch 12 update (we were running no patches before). However, when I did a packet sniff, I noticed that my password was being sent in the clear. I was under the impression that with Kerberos on LDAP and the ACS policies, we would be secured, but I am guessing I missed something.
Can anyone tell me what I need to do on ACS or the LDAP server to get the passwords transmitted in a secure manner?
Though kerberos is secure but here we can't link it with ACS because it doesn't support kerberos protocol.
LDAP communicates in plain text between the ACS server and the LDAP directory. You can configure this connection to use Secure Socket Layer (SSL) if a certificate has been obtained.
That is the way it is designed. Please check the LDAP RFC, here is the snip from RFC,
When used with a connection-oriented transport, this version of the protocol provides facilities for the LDAP v2 authentication mechanism, simple authentication using a cleartext password, as well as any SASL mechanism . SASL allows for integrity and privacy services to be negotiated.
You can use Secure LDAP incase you are looking for security.
So I can use a certificate or Secure LDAP? I am guessing if I use a certificate, I will need to install it on the LDAP server as well as the ACS appliance? I will read up a little more on the Secure LDAP. I hope that will be the answer.
Cert7.db needs to be created for a LDAP database using Netscape Navigator, for that you need to contact your LDAP Administrator.
Here's a documentation link, which says how to get SSL connection between ACS and LDAP, and we need to get cert7.db by installing Netscape:
NOTE: Preferred way to generate cert7.db is to use Netscape browser as, it is only tested way.
Please note that the certificate DB path is required. To install a Cert7.db
file with the correct certificates the following is required.
We need to use Netscape 4.x (up to 4.8) for creating cert7.db. More recent
versions may be not compatible.
1. Setup the LDAP with a certificate.
2. Install Netscape 4.x (this creates the cert7.db file, which is just a
database of certs)
3. Browse to https://servername:Ldap-port with the Netscape browser.
4. Install the certificate selecting the option "accept this certificate
5. Copy the cert7.db file to another directory (like the ACS folder).
The default location of the cert7.db file is C:\Program
6. Now just enter the path to the cert7.db file in the "Certificate DB Path" field in t he configuration for your LDAP DB in ACS.
TIP: cert7.db from OpenSSL etc will not work
In addition to JG update you may refer:
You might need to reboot your ACS server after installing cert7.db (observed in some cases)
Question: What LDAP server do we have here?
ACS only supports server-side authentication for SSL communication with LDAP server.
On ACS server you only need Root CA certificate. The CA who issued certificate to LDAP server for SSL communication. This is easy to determine, you only need to look up "Issued By" filed on the certificate.
Other then that. Password is secure between client and the ACS server (Radius/Tacacs+). With SSL between ACS and LDAP its secure at the backend too
"Security-ACS uses SSL to encrypt communication between ACS and the LDAP server. If you do not enable SSL, user credentials are passed to the LDAP server in clear text. If you select this option, then you must select Trusted Root CA or Certificate Database Path. ACS supports only server-side authentication for SSL communication with the LDAP server. Solution Engine only: You must be sure that the Port box contains the port number used for SSL on the LDAP server."
Prem, JG and others,
Thank you for your inputs. Now I am confused. As I set up the cert on the ACS server, I use our root CA server. How do I tell if it is good or not? I also have configured the ACS LDAP External Database configuration to use TCP port 3269 and have checked to use the CA server. Do I need to set anything else up? I am pretty sure I do since this config does not work. However, when I set it back to not be secure and use port 3268, it works like a champ, but passwords are sent int eh clear.