LDAPs or LDAP for OpenVPN remote access?
-
If LDAP is chosen as the authentication method for a Remote Access OpenVPN server, is it recommended to stick with the encrypted version of LDAP (LDAPs) or would unencrypted LDAP suffice? Would LDAPs just add unnecessary additional encryption and complexity to an already encrypted channel? Am I completely off here?
In section 9.3 of the pfsense book they provide an example of a remote access OpenVPN server using plain TCP LDAP. There doesn't seem to be any mention if LDAPs is recommended for external authentication.
-
OpenVPN encrypts data transfers between your clients and pfSense
LDAPS encrypts the LDAP authentication process itself between pfSense and your LDAP server.
The two are not related, and you should always go for the more secure option if it's available. LDAPS is definitely preferable, especially if the LDAP server is remote to the firewall. If the firewall and the LDAP server are on the same network directly connected (e.g. LDAP server is in LAN or DMZ) then it may not matter so much, but I'd still go for LDAPS.