Network Security LDAP Signing Requirements for Clients. This information applies to PCs running the Windows Server 2008 operating system at the very least.
The best practices, location, values, policy administration, and security concerns for this policy setting are described in this security policy reference subject for IT professionals. This information applies to PCs running the Windows Server 2008 operating system at the very least.
What does LDAP stand for?
LDAP stands for Lightweight Directory Access Protocol.
What does the LDAP Signing Requirements for Clients policy do?
The LDAP Signing Requirements for Clients policy allows you to configure the requirements for signing. And encryption of Lightweight Directory Access Protocol (LDAP) messages. When you enable this policy setting, clients must use strong LDAP signing and encryption. Even when they send LDAP messages to domain controllers in Active Directory domains. Those that have a functional level of Windows Server 2003 or higher. This policy setting affects the following LDAP operations:
LDAP bind operations (search, add, modify, and delete) that are sent over the TCP/IP protocol.
LDAP protocol extensions
Hence, LDAP protocol extensions (operations not specified in RFC 2713) are sent over the TCP/IP protocol.
SMB bind operations that are sent over the TCP/IP protocol. This includes operations specified in RFC 2549, such as creating and deleting user objects and modifying user objects by using an OID in the modify DN attribute. This policy setting does not apply to SMB bind operations specified in RFC 1777, such as creating user objects by using a GUID or SID in the modify DN attribute or modifying user objects by using a GUID or SID in the modify DN attribute.
What is LDAP signing?
When you sign an LDAP message, you can use simple password-based authentication. Or use a digital signature certificate issued by a Certification Authority (CA). When you use simple password-based authentication, you authenticate yourself to the server. By providing a valid domain account name and password.
When you use a digital signature certificate, you authenticate yourself to a server by providing the certificate’s hash value, which is calculated from information encoded into the certificate (for example, your distinguished name). The signer’s public key is used to verify that the message was created with its private key.
What is LDAP encryption?
When you encrypt an LDAP message, you can use simple password based authentication or you can use a digital certificate issued by a Certification Authority (CA). Simple password-based authentication is the same type of authentication that is used for signing messages. The user’s domain account name and password are used to authenticate them to the server when sending the encrypted message. When you use digital certificate-based encryption, you authenticate yourself to a domain controller by providing a valid digital signature certificate. The signature key from your certificate is used to encrypt your message, and the recipient uses your public key to decrypt the message after verifying the signature.