How important is LDAP over SSL with Active Directory?

ssl active-directory

What risks should I be aware of that we're facing by not using SSL

Requests by domain members will use SASL (see: LDAP Security Model section in this doc)

Requests not from a domain member or client able to use SALS can be intercepted. Internally, this may not be that big of a deal since you probably have a switched network, and good control of your physical infrastructure.

If I follow one of the million guides on the internet to enable SSL, will it interrupt current service? Or will I be able to do it and the client machines will some how be informed to use SSL automatically?

It should not interrupt current service. Some clients (like your Dell LOM) will need configuration to use the SSL port, if the are currently working, and you want to enable SSL. You shouldn't have to do anything on your Windows servers/workstations.

I have two DCs running a single domain as domain.local. Since it's an "internal" TLD, I'm guessing I'll need to set this up using an internal CA and not a third party?

You can do either, you can even use a self-signed certificate. Some clients won't like this a self signed certificate, but your Drac probably would be fine with a self-signed certificate.

Setting up an enterprise CA is relatively easy, but it should really be on a box/vm just for this purpose. Can you afford a spare Windows license?

You could also run an OpenSSL CA, you could run one from a USB flash drive pretty easily. If you are familiar with Linux, then setting up an Ubuntu box/vm/usb device running tinyca should only take a couple hours.

Based off the answer of #1, would you say it's safe to stay off of SSL? What would you feel is the ratio of benefit to effort involved in getting converted to ssl?

  • If you don't trust your physical infrastructure, then you should probably enable SSL.
  • If you have a very small number of servers, then it may not be worth the effort.
  • You may be able to mitigate the risk using ipsec or some VPN to encrypt the LDAP.
  • As Evan mentioned in a comment, the DRAC LOM, is basically providing physical access, so you should strongly consider setting up SSL to protect you from a MITM.

Related

Multiple virtual VLAN interfaces on single NIC (Debian)
Downloading from wget - folder issue
When you exhaust a 1 Gpbs connection to your main haproxy, how do you scale out?
Attack on my web server - What could this mean
nagios nrpe check_procs wrong return value
What does the message, "too many links" mean when using CP on Linux?
What happens if a linux kernel argument is passed twice with different values?
how to view hostnames in traffic entering my webserver (Apache)?
How can I kill the Apache service on a Windows server?
File System with Real-Time Data Deduplication
Puppet upgrade msi on windows
Can not get RD Session Host server to accept my credentials for a Licensing server in a workgroup setup