MacMan and Lisa: The Case of the Unsecured Protocol
(Or how to wrap your AD LDAP connection in SSL)
31 August 2003
“Time to go, MacMan,” Lisa said. “The signal just came in.”“Yes. I saw it, too. Grab your TiBook and hop in the service van.”
“Right behind you MacMan!”
The dynamic duo raced across the MacCave floor and slipped into the van at the far end. With a loud whooshing sound and a blast of steam the cave doors opened and shot the Ford Escape into the night sky.
The wake vortex of the van left ripples through the clouds as it passed, briefly obscuring the misty glow of the white apple with a bite missing that was projected into the night sky.
“Gosh, MacMan, what do you think we’re going to come up against this time?”
“An unsecured protocol, Lisa. This is one of the most dangerous kinds, too.”
“Great service location protocol directory agents MacMan, not a directory service protocol?”
“Yes, Lisa. A directory service protocol. Someone at Grannie Smith Industries has left their LDAP connection unsecured. Hundreds of passwords may be passing through their network unprotected as we speak.”
“But, how could anyone be so careless, MacMan? Or is this the work of the evil Willie the Worm.”
“Maybe, Lisa, but it’s more likely that the poor overworked admins down there just haven’t had the time to get around to securing it.”
“Then I’ll put the van into overdrive so we can help them faster!”
The van dropped out of the sky like a 68020 at the entrance to the Granny Smith world headquarters.
“Ah, that must be the local admin, there,” said MacMan.
A smallish man ran from the building to greet the crimefighters as they exited the vehicle.
“Thanks for coming you guys! I’m Nick Service, but you can call me N. S. for short.”
“No problem, N. S. I just hope we’re in time. Take us right to your server room.”
The trio hurried into the building with the rustle of Lisa’s six-colored cape and straight through to the server room.
“Holy deprecated DNS utilities, N. S., lookup at that server’s screen!” Lisa exclaimed. “Your Active Directory server isn’t using port 636. Instead all of your connections are going unencrypted across port 389.”
“Very good, Lisa. I see you’ve been studying /etc/services,” MacMan said.
“But, Lisa. We’re using Kerberos here, why do we care about securing LDAP?” N. S. objected.
“Yes, N. S., you’ve secured the user passwords from being sniffed, but there’s still a lot of user information going across the wire. Plus the password you use to bind to the AD server doesn’t use Kerberos.” Lisa said.
“Golly, Lisa, that sucks!”
“It’s ok N. S. String us some ethernet over here for Lisa’s laptop and we’ll take care of you.”
“First,” said Lisa, “we’ve got to get an SSL certificate. Do you have one for the server already, N. S.?”
“No, the AD server isn’t accessible from outside the firewall, so we didn’t think we needed one.”
“Not to worry, N. S., we can roll our own. I’ll start by running through the article at www.afp548.com about how to create an ssl certificate authority and a server certificate.”
“Wow, I didn’t know a Microsoft server could handle that type of certificate, Lisa.”
“It can't, N. S.,” Lisa said as she typed on her laptop. “That’s why I need to take the server key and the server certificate that I created by following the article and combine them into a pkcs12 certificate.”
Lisa had just finished creating the CA and server keys so she hurriedly typed out the command to create the AD server’s certificate.
openssl pkcs12 -export -in server.cert -inkey server.key \
-certfile demoCA/cacert.pem -out adserver.p12
Lisa then copied the new adserver.p12 file and the cacert.pem file onto the AD server. Opening up the Management Console, she preceded to add the Certificates snap-in, being careful to say she wanted to manage the certificates on the local computer. She then selected the Personal subfolder of the Certificates icon. Under the “Action” menu she selected All Tasks ->Import and browsed to the adserver.p12 certificate she copied over typing in the password that secured the server’s key. She then selected to store the certificate in the “Personal” certificate store.
The import went like a flash. Lisa could now see two certificates in her Personal Certificates folder.
“But wait, Lisa. The server doesn’t trust those certificates since we signed them ourselves,” N. S. argued.
“Wait! She’s not done yet, N. S.,” MacMan soothed.
Lisa then selected the “Trusted Root Certification Authorities” folder in the Certificates snap-in. She then went back to the import command and browsed for another certificate to import. Setting the file type to “X.509 Certificate (*.cer,*.crt),” she imported the ca.crt file that was copied over from her laptop.
“Now the server trusts the certificate and Active Directory should be using port 636 and SSL for incoming connections. But, let’s test it with the built-in LDAP browser in Windows 2000 Server.” Lisa said.
“Windows 2000 has a built-in LDAP browser?” N. S. queried.
“Sure. It isn’t real pretty, and it won’t print to a PDF file, but it will do what we need it too. Of course we could do this from the command line on a Mac OS X machine, but I wanted to show you, N. S., that text views aren’t the only way of doing things.”
Lisa then went to the Start menu and selected “Run.” She then entered “ldp.exe” into the field. Up popped a rather ugly window into which Lisa used the “connect” command under the Connection menu to connect over port 636 to the AD server. After a brief moment a bunch of text spewed across the LDAP browser.
“And Bob’s your uncle,” said N. S.
“Now we just have to get the Mac OS X clients to use the certificate. You’ll need to do this on every client machine, but don’t worry—it doesn’t take long.”
Lisa went over to a Mac OS X client machine and opened up the terminal. She copied over the ca.crt file from her laptop and put it in /etc/openldap/. She then used vi (or your favorite text editor), as the root user and added “TLS_CACERT /etc/openldap/ca.crt” to /etc/openldap/ldap.conf.
“And now, for the last touch.”
Lisa opened up Directory Access, selected the LDAPv3 plugin and then enabled the SSL checkbox for the AD configuration.
“Crikey, Lisa, that was easy,” N. S. cried out. “MacMan and Lisa, you’ve saved us all!”
“You see, Lisa,” MacMan said. “We all can learn a lesson here. Even when using Kerberos you’ll still want to secure your LDAP connection to your Active Directory server to keep evil at bay. An unsecured protocol is an unsecured network.”
“Especially since it’s so easy to do with a self-signed SSL certificate,” said N. S.
“Now, you’ve got it N. S.! Well, Lisa, our job here is done, time to go back to the MacCave and download the latest developer release of Panther from the Apple Developer Connection site.”
And with the squeak of a vinyl codpiece the heroes were off into the night.
The end.