Appendix C: Ldap/Ldaps Definitions - HP AB500A - Integrated Lights-Out Advanced Technology Brief

Appendix C: LDAP/LDAPS definitions

The LDAP/LDAPS protocol provides access to directories supporting the X.500 models but does not
incur the resource requirements of the X.500 Directory Access Protocol (DAP). The LDAP/LDAPS
protocol is specifically targeted at management applications and browser applications that provide
read/write interactive access to directories. When used with a directory supporting the X.500
protocols, LDAP/LDAPS is intended to be a complement to the X.500 DAP.
The following are key characteristics of the LDAP/LDAPS protocol:
• Protocol elements are carried directly over Transmission Control Protocol (TCP) or other transport,
bypassing much of the session/presentation overhead.
• Most protocol data elements can be encoded as ordinary strings (for example, Distinguished
Names).
• A lightweight basic encoding rules BER encryption is used to encode all protocol elements.
• Referrals to other servers can be returned.
• Simple Authentication and Security Layer (SASL) mechanisms can be used with LDAP to provide
association security services.
• Attribute values and Distinguished Names have been internationalized through the use of the ISO
10646 character set.
• The protocol can be extended to support new operations, and controls can be used to extend
existing operations.
• Schema is published in the directory for use by clients.
• The LDAP protocol is used to read from and write to Active Directory. By default, LDAP traffic is
transmitted unsecured. System administrators can make LDAP traffic confidential and secure by
using SSL/Transport Layer Security (TLS) technology. Administrators can enable LDAP over SSL
(LDAPS) by installing a properly formatted certificate from a certification authority (CA).
• To enable LDAPS, administrators must install a certificate that meets the following requirements:
• The LDAPS certificate is located in the personal certificate store of the local computer
(programmatically known as the computer's MY certificate store).
• A private key that matches the certificate is present in the local computer's store and is correctly
associated with the certificate. The private key must not have strong private key protection enabled.
• The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object
identifier (also known as OID).
• The Active Directory fully-qualified domain name of the domain controller (for example,
DC01.DOMAIN.COM) must appear in one of the following places:
– The Common Name (CN) in the Subject field
– DNS entry in the Subject Alternative Name extension
• The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is
established by configuring the clients and the server to trust the root CA to which the issuing CA
chains.
40