[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: about TLS and Openldap ...

To: Susanne Benkert <benkerts@emt.iis.fhg.de>
Subject: Re: about TLS and Openldap ...
From: Waldemar Brodkorb <waldemar@thinknow.de>
Date: Fri, 21 Dec 2001 17:06:20 +0100
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <3C22FD1F.8050102@emt.iis.fhg.de>
References: <B0000688802@professeur3.enic.fr> <3C21BCBC.3040201@emt.iis.fhg.de> <20011220141954.D664@thinknow.de> <3C22FD1F.8050102@emt.iis.fhg.de>
User-agent: Mutt/1.3.20i

Hi Susanne, 
>From the keyboard of Susanne,
> Hi,
> Waldemar Brodkorb wrote:
> 
> >Your slapd binds to port 636/ldapssl and 389/ldap.
> >If you don't remove 'ldap:///' your server will also respond on non
> >encrypted traffic.
> 
> I removed "ldap:///"; and tested it with PHP - the same log as before. 
> But testing with GQ and pam/nss does'nt work properly. I think it's 
> because these clients don't use ldaps over port 636 but start_tls over 
> port 389. Is this a security problem? 

No, I think not. pam_ldap and nss_ldap supports ldaps, gq and slurpd
AFAIK not.

> Also I tried they don't use Port 
> 636, but I thought start_tls is as save as ldaps?????
 
It is. 
Probably I misunderstood your last posting you wrote:
"the log output shows, that TLS is used in all communications, but
some of the packages I see are in clear text."

How do you acquire the logging information? 
tcpdump/ethereal or logfiles?
Looking at your attachment I guess you analyze your logs.
If an intruder can take a look at the logs it is too late for
encrypting passwords in a network session ;)
To avoid these debugging info's use a smaller loglevel in your
slapd.conf. After I finished the configuration of my LDAP server I
simply set it to zero.

> >And so you have to be sure that all your LDAP clients use TLS on
> >Port 636 or STARTTLS on port 389 to communicate with the server.
> 
> All clients open and close TLS connections and send at least some of the 
> data with encryption.
> 
> Only some packages can be read as cleartext in log output. I attached some 
> typical lines from this output.
> 
> >Is 'ssl yes' & 'port 636'  set in your pam_ldap & pam_nss configuration 
> >files?
> 
> My ldap.conf witch is used by pam_ldap and nis_ldap is also attached to 
> this mail. I alredy tried to set "port 636", but in this case the client 
> can't connect the Ldap-server anyway. But it uses start_tsl.


My working pam_ldap config (pam_ldap 118) as example:
host server
base o=thinknow,c=de
ldap_version 3
port 636
pam_filter objectclass=account
pam_login_attribute uid
pam_password crypt
ssl yes

bye
    Waldemar

-- 
Are your questions smart enough?
http://www.tuxedo.org/~esr/faqs/smart-questions.html

References:
- SASL authentication and simple bind
  - From: Jacques Landru <landru@enic.fr>
- about TLS and Openldap ...
  - From: Susanne Benkert <benkerts@emt.iis.fhg.de>
- Re: about TLS and Openldap ...
  - From: Waldemar Brodkorb <waldemar@thinknow.de>
- Re: about TLS and Openldap ...
  - From: Susanne Benkert <benkerts@emt.iis.fhg.de>

Prev by Date: Re: backup / restore over network
Next by Date: Fwd: Re: current state of PGP w/ openLDAP backend? / PGP schema
Index(es):
- Chronological
- Thread