[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Require SSL transport?
At 12:25 PM 2/2/01 -0500, Justin Hahn wrote:
>Hrm... It's not entirely clear to me what needs to happen. For example, I
>have the following
>in my slapd.conf
>
>security ssf=128
This says "require 128 bits of encryption." This encryption can be
provided by any layer (SASL, TLS, or transport). If the protection
is not present, only operations commands which can be used to initiate
such protections (e.g Start TLS) are allowed.
>and I can't seem to find a disallow or require which does the right thing.
>disallow
>seems to turn OFF SSL in many cases, and require only has requirements for
>SASL, whereas
>I need plaintext binding.
You can use ACLs to restrict simple authentication, for example:
access to attrs=userPassword
by ssf=112 auth
by ssf=128 self write
by * none
requires 112 bits of encryption for authentication,
but require 128 bits of encryption for write.
>and the following ACL (which sounds like it'd do roughly what I want)
>doesn't work
>
>access to *
> by ssf=0 none
That's equivalent to saying
access to * by * none
as all sessions have zero or better encryption.
>I considered trying something like
>
>access to *
> by ssf=112 none
That's equivalent to
access to * by * none
as the those 112 or better encryption get none and those
without 112 or better encryption get none (by default).
>but I have no idea whether this would only forbid 3DES binds, or anything
>3DES or lower (the docs don't say, and I wouldn't know where to look in the
>code.)
Both would restrict all access, including binds.
>I can live with not having this sort of restriction, but it changes,
>somewhat, my plans
>for implementation.
>
>
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>> Sent: Friday, February 02, 2001 12:01 PM
>> To: Jens Vagelpohl
>> Cc: Justin Hahn; 'openldap-software@Openldap.org'
>> Subject: Re: Require SSL transport?
>>
>>
>> At 11:33 AM 2/2/01 -0500, Jens Vagelpohl wrote:
>> >starting your server with "slapd -h ldaps:///" should prevent it from
>> >listening on anything other than port 636.
>>
>> But this disallows use of LDAP Start TLS (-Z), the standard track
>> mechanism of initiating TLS (SSL) services.
>>
>> There are numerous ways to restrict access in OpenLDAP.
>> ACLs support ssf and tls_ssf factors where you can
>> restrict access based upon the strength of the security
>> actually provided by the layer.
>>
>> There are also various "allows", "disallows", "requires",
>> and "security" slapd.conf(5) statements which can be used
>> to control the behavior of the server.
>>
>>
>> >jens
>> >
>> >
>> >
>> >On 2/2/01 10:56, "Justin Hahn" <jhahn@profitlogic.com> wrote:
>> >
>> >> Over the past couple days I've beens setting up OpenLDAP
>> as a substitute for
>> >> NIS. To do
>> >> this I want all communications done with the LDAP server
>> to be over SSL
>> >> exclusively. But
>> >> I can't seem to figure out how to get openldap to ignore
>> requests that
>> >> aren't over SSL.
>> >> (i.e. ldapsearch -ZZ -x '(objectclass=*)' gives me exactly
>> what I expect,
>> >> but take away -ZZ and I get the same results back. Which
>> isn't what I want.)
>> >>
>> >> Is there any ACL I can use to grant no access if SSL isn't
>> being used? A
>> >> config
>> >> option? A commandline option to slapd?
>> >>
>> >> Thanks!
>>