[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: security measures



RE: the SSL failure:
Did you set TLSCertificateFile and TLSCertificateKeyFile in your slapd.conf?  I was getting the same error until I figured that one out.
And SSL is easy to set up, once you get those things in there.  Be careful about what certs you use, you really should pay verisign or thawte for a cert, if you don't, you could be subjected to a man-in-the-middle attack.
FOr testing with dummy certs, mod-ssl for apache comes with a small script that helps you generate a bogus CA and certs signed by that CA.  There might even be something in the openssl distro, but I haven't looked to hard.

As for the security thing, here's what I have found:
If you want to use Digest-MD5 authentication, you must use SASL, but SASL maintains a seperate db of users in /etc/sasldb.  read the source code for saslpasswd (included with cyrus sasl), but it is really just a gdbm (or similar) database to store username/realm/password.
If you don't want to use the sasldb, (i.e. want to use the userPassword attribute in LDAP to authenticate users) then you are going to have to use simple authentication.  I think you can pass MD5 or SHA passwords (check the faq-o-matic on this one) to openLDAP, and it will authenticate the user.  Of course, a bad guy doesn't get the users password, but he does get enough information to impersonate that user to the LDAP server whenever he wants to. 
You might be able to live with that.

-----Original Message-----
From: James Gregory [mailto:james@linuxplaza.com.au]
Sent: Wednesday, January 10, 2001 11:19 PM
To: openldap-software@OpenLDAP.org
Subject: security measures


Hi,

First of all, for anyone who was interested the problem with extremely
slow ldap - it was a faulty hub.

Now, Having (thankfully) gotten past that little hurdle, I'm onto the
issue of how to best configure openldap. Currently I'm concerned with
security. Basically we want something which is sufficiently secure
(though I'm not too fussed about that, it's over an IPsec vpn, I'd just
like to stop people on the local network being able to pull passwords
straight off the network with a sniffer). And it needs to be very easy
to maintain.

I understand that SASL requires a separate config file which needs to be
modified for each user we want to authenticate against, is that right?
how complex is this file? would it be easy to write a perl script to add
users to it?

Next point, is ssl easy to setup? is there a flag on pam_ldap I need to
set to force it to use ssl? how secure is ssl? Is it difficult to set
up?

I tried building with ssl and without ssl, and I'm getting failures when
I use -ZZ on ldap search. I would have thought it should be a
straightforward process of using the ssl socket calls rather than the
berkely sockets ones. Is there something I'm missing?

Here's the error:
ldap_start_tls: Success
        additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
[root@fileserver /root]# 


Thanks for all your help.

James.