[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Secure LDAP Query from a clear text request



-----Original Message-----
>>>From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Doug Pitek

Hello all:

I am currently in a position where a "black box" solution that we utilize
needs to access an LDAP host.  The "black box" does not have the ability to
make a secure request to an internal S-LDAP host, and this is where the
problem lies.  The kicker is that the black box solution lies within an
unsecured network segment.  I need to apply a solution where the transport
layer is secured in order to traverse the firewalled segment.  On the
internal side, I have a secure LDAP cluster to answer these requests.  The
proxy host that I have available would be a FreeBSD kernel.

My first (and only) thought so far, is to have a LDAP proxy server on the
unsecured segment, in which it will rebuild the request into the S-LDAP
(TLS/SSL) version and allow that host to request the data to our internal
network.  I am not exactly too happy with that solution though.  What other
type of solutions are out there, and is my first thought even possible?
<<<
It is trivially easy to set up OpenLDAP's back-ldap to proxy in this
situation, but that doesn't really solve your security issues. If your black
box is on an insecure network, and can only make plaintext queries, then it
is necessarily making insecure plaintext queries to your FreeBSD proxy host
as well. Unless you can put the proxy host and the black box on a private
network segment of their own, you still have that traffic to worry about. And
of course, you should strip everything else off that FreeBSD box since it's
also going to be sitting out, open to attack.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support