[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap, libnss-ldap, libpam-ldap, ssl/tls and su

To: openldap-software@OpenLDAP.org
Subject: openldap, libnss-ldap, libpam-ldap, ssl/tls and su
From: Willi Schiegel <willi.schiegel@microdiscovery.de>
Date: Fri, 13 Dec 2002 11:24:10 +0100
Organization: MicroDiscovery GmbH
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

Hello All,

is it possible to force tools like the switch user command "su" to use encrypted connections to a OpenLDAP server?

Here is what I have. Debian 3.0, OpenLDAP compiled with ssl enabled, libnss-ldap and libpam-ldap compiled with ssl enabled on the server and on a test client.

On the server slapd.conf has

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap/slapd.pem
TLSCertificateKeyFile /etc/ldap/slapd.key

On the server ldap.conf has

ssl start_ssl

On the client the ldap.conf has

ssl start_tls

On server and client the pam modules for login, passwd and su are ldap enabled.

Everything works fine but when I change the user on the client with su and watch the traffic on the ethernet interface of the server with ethereal I can see that there are two bind requests with clear text passwords. The first one uses the admin account of the ldap server, the second one the account I start the su command with. Switching to the user works, but the passwords are send in clear text format. Can someone help, did I miss one of the central concepts of the authentication chain?

Thank you very much.

Greetings

	Willi Schiegel

--
Willi Schiegel, MicroDiscovery GmbH
Marienburger Strasse 1, D-10405 Berlin, Germany
Tel.: +49-(0)30-44350900, Fax: +49-(0)30-443509010
willi.schiegel@microdiscovery.de http://www.microdiscovery.de

Prev by Date: Re: outlook and openldap
Next by Date: PHP 4.1.2 && err=50 (no write access to parent)
Index(es):
- Chronological
- Thread