[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
openldap, libnss-ldap, libpam-ldap, ssl/tls and su
- To: openldap-software@OpenLDAP.org
- Subject: openldap, libnss-ldap, libpam-ldap, ssl/tls and su
- From: Willi Schiegel <willi.schiegel@microdiscovery.de>
- Date: Fri, 13 Dec 2002 11:24:10 +0100
- Organization: MicroDiscovery GmbH
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
Hello All,
is it possible to force tools like the switch user command "su" to use
encrypted connections to a OpenLDAP server?
Here is what I have.
Debian 3.0, OpenLDAP compiled with ssl enabled, libnss-ldap and
libpam-ldap compiled with ssl enabled on the server and on a test client.
On the server slapd.conf has
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap/slapd.pem
TLSCertificateKeyFile /etc/ldap/slapd.key
On the server ldap.conf has
ssl start_ssl
On the client the ldap.conf has
ssl start_tls
On server and client the pam modules for login, passwd and su are ldap
enabled.
Everything works fine but when I change the user on the client with su
and watch the traffic on the ethernet interface of the server with
ethereal I can see that there are two bind requests with clear text
passwords. The first one uses the admin account of the ldap server, the
second one the account I start the su command with. Switching to the
user works, but the passwords are send in clear text format.
Can someone help, did I miss one of the central concepts of the
authentication chain?
Thank you very much.
Greetings
Willi Schiegel
--
Willi Schiegel, MicroDiscovery GmbH
Marienburger Strasse 1, D-10405 Berlin, Germany
Tel.: +49-(0)30-44350900, Fax: +49-(0)30-443509010
willi.schiegel@microdiscovery.de http://www.microdiscovery.de