14.2. Encrypting LDAP Traffic with SSL, TLS, or Signing
Problem
You want to encrypt LDAP traffic using SSL, TLS, or signing.
Solution
Using a graphical user interface
Most of the GUI-based tools on a Windows Server 2003, Windows XP, or Windows 2000 SP 3 machine automatically sign and encrypt traffic between the server and client. This includes the following tools:
Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Schema
Active Directory Users and Computers
ADSI Edit
Group Policy Management Console
Object Picker
Also with ADSI Edit, you can specify the port number to use when browsing a partition. View the Settings for a connection by right-clicking on the partition and selecting Settings. Click the Advanced button and enter 636 for LDAP over SSL or 3269 for the global catalog over SSL.
The Windows Server 2003 version of LDP supports encryption using the StartTLS and StopTLS operations, which are available from the Options → TLS menu. With the Windows 2000 version, you can use SSL by going to Connection → Connect and entering 636 or 3269 for the port.
Using a command-line interface
The DS command-line tools support LDAP signing and encryption when
run from Windows Server 2003 or Windows XP against a Windows 2000 SP3
or Windows Server 2003 domain controller. This includes
dsadd
, dsmod
,
dsrm
, dsmove
,
dsget
, and dsquery
.
Using VBScript
' This code shows how to enable SSL and secure authentication using ADSI ADS_SECURE_AUTHENTICATION = 1 ADS_USE_SSL = 2 set objLDAP ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.