[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP and TLS/SSL (was: Re: Afg! Client won't use LDAP)
Tony Earnshaw wrote:
It is certainly supported by Openldap 2.1.x (I use 2.1.12 and have used
SSL since 2.1.4, TLS since 2.1.10) and, though apparently undocumented,
also by (later?) 2.0.x. You don't state which version of Openldap you
use.
I'm using 2.0.23. I've also discovered something a bit disturbing with
TLS and SSL.
The server is setup with its SSL and TLS certs.
IF I put 'ssl start_tls' in ldap.conf on the clients, I can see the
traffic on port 389 and it's in _plain text_. At some point the client
should issue 'start_tls' and from then on it should be encrypted. But
its not.
BUT IF I put "URI ldaps://ip.of.my.host/" in the ldap.conf on the
clients, and then I sniff 636 I see encrypted channel with no plain text
data (other than the SSL certificate being passed). And of course I see
no traffic on port 389.
So that leaves me with a few questions:
1. Why the heck doesn't start_tls work?
2. Are there other options to the 'ssl' option, such as perhaps "on"
that tell it to use regular SSL (as opposed to TLS)?
3. Are there options to the slapd.conf file to tell it to NOT allow
plain text options?
--
Phil Dibowitz phil@ipom.com
Freeware and Technical Pages Insanity Palace of Metallica
http://home.earthlink.net/~jaymzh666/ http://www.ipom.com/
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759