What Are You Doing Right Now

EddieJennings

@scottalanmiller The other part of the problem is there are two things I'm wanting to secure.

1. Traffic from client to my dokuwiki, which I agree can be easily accomplished with Lets Encrypt, despite this site not being public-facing.

2. Traffic between my dokuwiki and domain controller (for authentication), since LDAP is sent in the clear. I suppose I could use Let's Encrypt to give the domain controller a certificate, so the certificate it presents to dokuwiki is from a trusted root CA. Or I issue and install certs with our internal CA that's already in place.

I suppose there's a third option as well, which is what was mentioned yesterday: Do I really care that AD credentials are sent in the clear if this traffic is only on my local network (or travelling to a user at home over a VPN tunnel)? Which, for me, the answer is "yes." I don't think it's a good idea to pass credentials in the clear over a network in general.

EddieJennings

Or maybe a 4th option and figure out how to authenticate against AD using kerberos.

coliver

@EddieJennings said in What Are You Doing Right Now:

Traffic between my dokuwiki and domain controller (for authentication), since LDAP is sent in the clear. I suppose I could use Let's Encrypt to give the domain controller a certificate, so the certificate it presents to dokuwiki is from a trusted root CA. Or I issue and install certs with our internal CA that's already in place.

I don't believe you need a client certificate for LDAPS, not a registered one. Just used a self signed one.

coliver

@EddieJennings said in What Are You Doing Right Now:

I suppose there's a third option as well, which is what was mentioned yesterday: Do I really care that AD credentials are sent in the clear if this traffic is only on my local network (or travelling to a user at home over a VPN tunnel)? Which, for me, the answer is "yes." I don't think it's a good idea to pass credentials in the clear over a network in general.

You may want to watch @scottalanmiller's discussion on LANless design.

scottalanmiller

@EddieJennings said in What Are You Doing Right Now:

Or maybe a 4th option and figure out how to authenticate against AD using kerberos.

Is there another way?

scottalanmiller

@coliver said in What Are You Doing Right Now:

@EddieJennings said in What Are You Doing Right Now:

Traffic between my dokuwiki and domain controller (for authentication), since LDAP is sent in the clear. I suppose I could use Let's Encrypt to give the domain controller a certificate, so the certificate it presents to dokuwiki is from a trusted root CA. Or I issue and install certs with our internal CA that's already in place.

I don't believe you need a client certificate for LDAPS, not a registered one. Just used a self signed one.

That's what I would guess.

coliver

@scottalanmiller said in What Are You Doing Right Now:

@coliver said in What Are You Doing Right Now:

@EddieJennings said in What Are You Doing Right Now:

Traffic between my dokuwiki and domain controller (for authentication), since LDAP is sent in the clear. I suppose I could use Let's Encrypt to give the domain controller a certificate, so the certificate it presents to dokuwiki is from a trusted root CA. Or I issue and install certs with our internal CA that's already in place.

I don't believe you need a client certificate for LDAPS, not a registered one. Just used a self signed one.

That's what I would guess.

I'm trying to find documentation on it. But really it's just LDAP riding over SSL. So no special certificates or anything are really needed.

scottalanmiller

@EddieJennings said in What Are You Doing Right Now:

@scottalanmiller The other part of the problem is there are two things I'm wanting to secure.

1. Traffic from client to my dokuwiki, which I agree can be easily accomplished with Lets Encrypt, despite this site not being public-facing.

2. Traffic between my dokuwiki and domain controller (for authentication), since LDAP is sent in the clear. I suppose I could use Let's Encrypt to give the domain controller a certificate, so the certificate it presents to dokuwiki is from a trusted root CA. Or I issue and install certs with our internal CA that's already in place.

I suppose there's a third option as well, which is what was mentioned yesterday: Do I really care that AD credentials are sent in the clear if this traffic is only on my local network (or travelling to a user at home over a VPN tunnel)? Which, for me, the answer is "yes." I don't think it's a good idea to pass credentials in the clear over a network in general.

For point 1 you can do any cert. but LE is the only one I would ever use.

EddieJennings

@scottalanmiller said in What Are You Doing Right Now:

@EddieJennings said in What Are You Doing Right Now:

Or maybe a 4th option and figure out how to authenticate against AD using kerberos.

Is there another way?

Is there? If so, enlighten me, so I'm not putting effort toward negative learning.

scottalanmiller

I think just LDAPS.

coliver

I'm pretty sure with Dokuwiki you set StartTLS = 1. You may need the openssl library installed first but I'm pretty sure it is that easy.

EddieJennings

@coliver Since you mentioned possibly just needing a self-sign cert, that's what I'm thinking as well. We're about to find out.

scottalanmiller

@coliver said in What Are You Doing Right Now:

I'm pretty sure with Dokuwiki you set StartTLS = 1. You may need the openssl library installed first but I'm pretty sure it is that easy.

That's what I would guess. Generating a very of any sort is weird for this.

coliver

@EddieJennings said in What Are You Doing Right Now:

@coliver Since you mentioned possibly just needing a self-sign cert, that's what I'm thinking as well. We're about to find out.

This would be a good how to thread by-the-by.

scottalanmiller

Heading home from whisky stuff.

EddieJennings

First test = failure. But it seems to follow what we think. The failure came from the fact that the dokuwiki's server doesn't trust the CA of the cert that my domain controller is presenting -- which is what I expected.

NerdyDad

@scottalanmiller said in What Are You Doing Right Now:

Heading home from whisky stuff.

Just steer clear of all parking garages.

wirestyle22

Just bought this: https://luuup.com/ for my cat

Laura also said yes to that sweet coffee table i linked yesterday.

dafyre

@scottalanmiller said in What Are You Doing Right Now:

@EddieJennings said in What Are You Doing Right Now:

@scottalanmiller The other part of the problem is there are two things I'm wanting to secure.

1. Traffic from client to my dokuwiki, which I agree can be easily accomplished with Lets Encrypt, despite this site not being public-facing.

2. Traffic between my dokuwiki and domain controller (for authentication), since LDAP is sent in the clear. I suppose I could use Let's Encrypt to give the domain controller a certificate, so the certificate it presents to dokuwiki is from a trusted root CA. Or I issue and install certs with our internal CA that's already in place.

I suppose there's a third option as well, which is what was mentioned yesterday: Do I really care that AD credentials are sent in the clear if this traffic is only on my local network (or travelling to a user at home over a VPN tunnel)? Which, for me, the answer is "yes." I don't think it's a good idea to pass credentials in the clear over a network in general.

For point 1 you can do any cert. but LE is the only one I would ever use.

How do you do LE for internal only servers? I didn't think that was supported?

NerdyDad

@wirestyle22 said in What Are You Doing Right Now:

Just bought this: https://luuup.com/ for my cat

Laura also said yes to that sweet coffee table i linked yesterday.

I'm actually work (slowly) on a behind-the-couch table that will have compartments for phone chargers and remote control storage.