I've implemented 3rd party certs on DCs for precisely this
reason (LDAP over SSL). The process was a little convoluted but it works
:)
I don't follow the chaining issue - the DC merely needs to
trust the PKI infra which issued the cert.
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe
Sent: 05 July 2006 22:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP over SSL
If you are able to deploy a
stand-alone CA, then you should be able to deploy an enterpise one. One CA can
be a Root/Policy/Issuing CA at the same time, and the big reason to want a
stand-alone Root CA is for additional security. But if all you are looking to do
with your certs is to protect LDAP traffic, I don't see why you can't have one
properly-secured server in the forest do that for you.
I don't recommend a third-party cert for
DCs. You will be requiring your DCs to chain up to an external authority for
internal communications.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: John Singler
Sent: Wed 7/5/2006 1:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP over SSL
Greetings, Environment: Single forest, single domain, 3 DC's, DC1 holds all FSMO rolls, all DC's GC's, BIND DNS. All DCs w2k3 SP1, FFL/DFL are w2k3. We are investigating, in the lab, migrating some Java apps to use AD for auth (using the Java LDAP libraries that support SSL). We do not currently run a CA. Can i install a stand alone CA, request a cert and install it on the DCs? Or does it need to be an Ent. CA? Also, if using 3rd party certs do i need one for *each* DC? I'm fairly certain that the answer is "yes" .. just checking. Also also, if anyone has figured out a way to use OpennSSL to generate a proper self-sgned cert for a DC i'd love to hear it (i've used these for IIS following http://eal.us/blog/_archives/2003/6/2/25109.html ). tia, john List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
