[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP 2.1 Released



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> Fredriksson

>     Howard> With the in-directory SASL-secret support in 2.1, the
>     Howard> userPassword attribute is directly used by many of the
>     Howard> SASL mechanisms. E.g., DIGEST-MD5 and CRAM-MD5 both start
>     Howard> with the plaintext password and generate their secrets
>     Howard> based on that. As such, if you care about the security of
>     Howard> your database, you should make sure that Simple Binds are
>     Howard> never used over an unprotected connection, otherwise all
>     Howard> of your SASL mechanisms' security will be breached at
>     Howard> once.

> How exactly do I do that? I've tried 'sasl-secprops minssf=0' (and some
> variants of that) but never got it working properly.

I believe that would have enabled SASL with no security layer. You
should have used something like "security ssf=56" instead.
>
> Just removing any 'by dn=uid=...' etc from my slapd.conf won't make it
> impossible to use it, it just TRIES (but fail because of no
> authorization).

Yes. Unfortunately there's no way for the server to prevent an arbitrary
client
from sending a cleartext Simple Bind request, aside from turning off the
cleartext ldap port and only listening on ldaps. The best thing you can do
is to make sure that the clients you can control are written to use SASL or
TLS...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support