Our small office-network is administered by a (very good) self-employed debian dev, and in the last six years I have learned a great deal by reading through configfiles on our server. I have even setup my own (modest) homeserver and am very interested in everything about networking.
Earlier this year there were the SSL-vulnerabilities, so I glanced through our own setup and I think I have found a weakness that I'm not sure of if it is serious or not.
Internal authentication is handled with LDAP / Kerberos, so at this level I see no problems, but connections to f.e. our LDAP-server are not protected with SSL or TLS and thus my question: should this not be mandatory on an office network that (although protected by iptables) allows connections with the internet?
Our server handles next to LDAP / Kerberos also apache, postgresql, imap, smtp, calDAV, NFS, cups etc...
If I understand your explanation correctly, the LDAP server is only used for queries in your internal lan? If this traffic is only between hosts on a trusted segment, then one can potentially argue/understand the choice for plain old LDAP.
However, if you have the resources (knowledge, capability/compatiblity to deploy this correctly onto clients, hardware that can handle it etc etc), encrypted LDAP is always an extra security layer which is usefull to have.
Our LDAP-server is used to authenticate users (LAN only), but also as an addressbook (LAN only, although exposed through a local web app).
But other services are exposed to the internet: imap, smtp, http, etc. Whenever I need to add a new device (smartphone f.e.), I'm confronted with the setting 'encryption', which has to be left blank for our setup. That's why I have my doubts...
But you seem to find encryption something 'optional' if I understand you completely. So my doubts are probably not warranted. THX for your reply!