I set out to integrate Active Directory with the iDRAC LOM for our Dell servers. One of the prerequisites is that the Domain Controllers be SSL enabled for ldap communication. The setup process in iDRAC says Upload Active Directory CA Certificate. So I log in to one of our DCs, go to its personal certificate store, and it's empty. Up until today I've always assumed that our domain services were using SSL (I wasn't the one who set up the domain). I've never set it up before myself, and I'm not too familiar with the ins-and-outs, so the only way I know to check whether we're using SSL or not is to use wireshark on the DC and captures packets. Capturing on port 636 yielded nothing while capturing on 389 gave me all sorts of data. So at this point I'm pretty sure we're not using SSL.
So my question is, how important is it that the directory information that is transmitted back and forth be encrypted? I'm assuming that if there were an immediate risk over it not being encrypted no matter what your domain is like (whether the company is big or small with varying levels of security rules), that Microsoft would have just forced the SSL.
Obviously I would like to have AD integration with the LOM on my Dell servers, but I have some work to do before implementing it. A couple of questions I would like answers to are:
- What risks should I be aware of that we're facing by not using SSL
- If I follow one of the million guides on the internet to enable SSL, will it interrupt current service? Or will I be able to do it and the client machines will some how be informed to use SSL automatically?
- I have two DCs running a single domain as domain.local. Since it's an "internal" TLD, I'm guessing I'll need to set this up using an internal CA and not a third party?
- Based off the answer of #1, would you say it's safe to stay off of SSL? What would you feel is the ratio of benefit to effort involved in getting converted to ssl?
Best Answer
Requests by domain members will use SASL (see: LDAP Security Model section in this doc)
Requests not from a domain member or client able to use SALS can be intercepted. Internally, this may not be that big of a deal since you probably have a switched network, and good control of your physical infrastructure.
It should not interrupt current service. Some clients (like your Dell LOM) will need configuration to use the SSL port, if the are currently working, and you want to enable SSL. You shouldn't have to do anything on your Windows servers/workstations.
You can do either, you can even use a self-signed certificate. Some clients won't like this a self signed certificate, but your Drac probably would be fine with a self-signed certificate.
Setting up an enterprise CA is relatively easy, but it should really be on a box/vm just for this purpose. Can you afford a spare Windows license?
You could also run an OpenSSL CA, you could run one from a USB flash drive pretty easily. If you are familiar with Linux, then setting up an Ubuntu box/vm/usb device running tinyca should only take a couple hours.