[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap, libnss-ldap, libpam-ldap, ssl/tls and su



Hello All,

is it possible to force tools like the switch user command "su" to use encrypted connections to a OpenLDAP server?

Here is what I have.
Debian 3.0, OpenLDAP compiled with ssl enabled, libnss-ldap and libpam-ldap compiled with ssl enabled on the server and on a test client.


On the server slapd.conf has

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap/slapd.pem
TLSCertificateKeyFile /etc/ldap/slapd.key

On the server ldap.conf has

ssl start_ssl

On the client the ldap.conf has

ssl start_tls

On server and client the pam modules for login, passwd and su are ldap enabled.

Everything works fine but when I change the user on the client with su and watch the traffic on the ethernet interface of the server with ethereal I can see that there are two bind requests with clear text passwords. The first one uses the admin account of the ldap server, the second one the account I start the su command with. Switching to the user works, but the passwords are send in clear text format.
Can someone help, did I miss one of the central concepts of the authentication chain?


Thank you very much.

Greetings

	Willi Schiegel

--
Willi Schiegel, MicroDiscovery GmbH
Marienburger Strasse 1, D-10405 Berlin, Germany
Tel.: +49-(0)30-44350900, Fax: +49-(0)30-443509010
willi.schiegel@microdiscovery.de http://www.microdiscovery.de