HCMay wrote:
Newbie, I have searched through the forum but needing additional assistance with understand how to secure the authentication process.
I am in the midst of an audit to get PCI accreditation based on version 3.0 (
https://www.pcisecuritystandards.org/do ... DSS_v3.pdf) and struggling to respond to requirement (#8.2.1) for secure authentication during transmission. I have searched this forum and located this thread, "Authentication Quick List / Cheat Sheet" and successfully authenticate with our Microsoft 2012 AD.
Challenge is that this configuration uses unsecured LDAP port 389 which the auditor has indicated will not meet this requirement. I shared the configuration setting that it utilizes SASL GSSAPI to secure the communication. The auditor saw in the configuration file, TLS is set to NO. Changed that to yes and received an error that the servers did not support TLS. I have validated that TLS is enabled by our AD. The auditor is not buying the traffic is secure because port 389 and the TLS setting are set to no. I am not knowledgeable enough, to dispute that.
If anyone has experience they can share to address secure authentication to Microsoft AD that I can use with my auditors. I will greatly appreciate it. THX!
It turns GSSAPI is not a valid option to use with SSL certificate, as shown on the commands above (ldap-ssl 1). DIGEST-MD5 in combination with a (root) certificate looks to be the solution.
setauthparam -f ldap-type MSAD
setauthparam -f ldap-server <192.168.80.10>
setauthparam -f ldap-server-hn <LDAPSERVER.STORCOM.COM>
setauthparam -f ldap-port 636
setauthparam -f ldap-ssl 1
setauthparam -f ldap-reqcert 1
setauthparam -f sasl-mechanism DIGEST-MD5
I've created a step by step tutorial on how to use LDAP over SSL (LDAPS) with port 636 for Primera and 3PAR arrays
https://www.storcom.com/configure-ldap- ... -and-3par/Hope it will be useful for the community.