Best practise to me would seem to be to enable both:

- Require TLS for Simple Binds with Password (on the LDAP Group
object)
- Require TLS For All Operations (on the LDAP Server object)


The later being needed because in the contextual Help of iManager is
states - "it is possible for an eDirectory username and password to be
captured during a failed bind attempt". To protect against this
scenario, make sure the Require TLS For All Operations option is
selected on the LDAP Server object.

Despite what would appear to be best practise I have seen much advice in
the forums about turning off these settings so that things work. Even
in other documentation such as from security vendors they specify to
turn off these settings. For example from

Watchguard: http://tinyurl.com/2fyxm7n

> "WatchGuard LDAP authentication does not support LDAP over TLS.

Further down at that URL they document *Configure the Novell LDAP
Server*, where both LDAP TLS settings are to be disabled. So much for
security.

I think that over a VPN or SSL connection, these LDAP TLS settings may
not matter, but what about normal LAN traffic for products that use eDir
such as the Novell client logon, or the Groupwise client ( I think GW
has it's own built in encryption so maybe a moot point).

IF USERS LOGON WITH THE NOVELL CLIENT CAN THEIR PASSWORDS BE CAPTURED IF
BOTH THESE TLS SETTINGS (AT START OF POST) ARE NOT ENABLED?[/B] [B]IN
PARTICULAR IF USING THE NOVELL CLIENT WITH LDAP CONTEXTLESS LOGIN, AND
USING THE \"_UNENCRYPTED_DATA_\" OPTION UNDER SERVER PROPERTIES WILL THE
CONNECTION USE TLS IF THE REQUIRE TLS FOR SIMPLE BINDS WITH PASSWORD (ON
THE LDAP GROUP OBJECT) IS ENABLED?

What are others doing in this regard on their network? TLS or no TLS?


--
gordon_mzano
------------------------------------------------------------------------
gordon_mzano's Profile: https://forums.netiq.com/member.php?userid=5040
View this thread: https://forums.netiq.com/showthread.php?t=47770