[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: about TLS and Openldap ...



Hi,
>From the keyboard of Susanne,

> Hi,
> 
> I get my Openldap-2.0.18 working with TLS-Support. I'm using LDAP, PHP 
> 4.0.6, GQ 4.0.1 (I think), pam_ldap and nss_ldap (newest versions) as 
> "clients" - all compiled with TLS/SSL-support.
> But now I'm a little bit concerned about security, because when starting 
> slapd with
> 
> /usr/local/openldap/libexec/slapd -h "ldap:/// ldaps:///" -d 127 -f 
> /usr/local/openldap/etc/openldap/slapd.conf

Your slapd binds to port 636/ldapssl and 389/ldap.
If you don't remove 'ldap:///' your server will also respond on non
encrypted traffic. 
And so you have to be sure that all your LDAP clients use TLS on
Port 636 or STARTTLS on port 389 to communicate with the server.

> Openldap (as far as I understand it) only supports TLS connection 
> without client certificate. Does this mean only "one way" of 
> communication is encrypted?

no.

Is 'ssl yes' & 'port 636'  set in your pam_ldap & pam_nss configuration files?

bye
    Waldemar

-- 
Are your questions smart enough?
http://www.tuxedo.org/~esr/faqs/smart-questions.html