[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections



Chris Paul wrote:

No, what I'm looking for is something like this in slapd.conf

host 10.10.10.10:389 security ssf=128
host 127.0.0.1:389 security ssf=0

I want to be able to specify which listeners require encryption.

I've read your postings and to me they're crystal clear.

I've seen, however, several responses along the lines of "I
understand what you want."  But when I read those responses
closely I gather that there is still misunderstanding.

The fact is that there is ALREADY a mechanism in OpenLDAP
that assigns an SSF to ldapi connections (that use a Unix-
domain socket).  That SSF has nothing to do with encryption
algorithm and strength.  Encryption strengths do play into SSF
values, yes.  But the reason an ldapi connection gets an SSF
of 71 is simply that an ldapi connection is hard for a would-
be attacker to make use of.  An ldapi connection accomplishes
the same thing as certain encryption grades, but in a different
way.

Now here's the key:

A connection over a local interface is also hard for a would-
be attacker to make use of.  Maybe not as hard as an ldapi
connection.  But it's harder than, say, a TCP/IP connection
over a non-local interface.

So LDAP administrators should have the option of specifying
an SSF for connections over INET domain sockets using local
interfaces.  Interfaces have associated addresses, so Chris's
idea of allowing sysadmins to assign SSFs based on peer IP
addresses are certainly one way to go at the problem.

There may also be VPNs or dedicated links for traffic to
specific hosts.

Chris's suggestion is interesting, I think.

Note:  This is not at all the same thing as security ssf=1,
as Chris and I have both pointed out.

--

Richard Goerwitz                               richard@Goerwitz.COM
tel: 507 645 7015