[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP issues when connecting over SSL





--On Monday, January 22, 2007 4:42 PM +1100 Jean-Yves Avenard <jyavenard@gmail.com> wrote:

Hi

On 1/22/07, Kurt D. Zeilenga <Kurt@openldap.org> wrote:
You might ask on a list supporting the particular client you
are using how to configure this client to secure LDAP with TLS
(SSL).


You previous post actually help me identify the issue with this
client, and I can get it to work now.
The problem was (as you suggested) that even though it was using port
636, it would issue a Start TLS call, which on an SSL connection isn't
going to work.
I've raised a bug with the supplier on this matter.

Using port 636 (SSL) was an LDAP V2 hack, and was never an officially supported operation. TLS over port 389 is part of the LDAP v3 specifications, and is supported. Vendors doing start TLS are actually being LDAP v3 compliant. Vendors doing SSL over 636 are using an old non-standardized way of doing SSL.


As noted by Kurt, you can force connections to use encryption, using the "security" statement. I'm not quite sure why you aren't figuring this out via the slapd.conf man page, it is pretty clear:

    security <factors>
         Specify a set of security strength  factors  (separated
         by  white space) to require (see sasl-secprops's minssf
         option for a description of security strength factors).
         The  directive  may  be  specified globally and/or per-
         database.   ssf=<n>  specifies  the  overall   security
         strength factor.  transport=<n> specifies the transport
         security strength factor.  tls=<n>  specifies  the  TLS
         security  strength factor.  sasl=<n> specifies the SASL
         security strength factor.  update_ssf=<n> specifies the
         overall   security   strength  factor  to  require  for
         directory updates.  update_transport=<n> specifies  the
         transport  security  strength  factor  to  require  for
         directory updates.  update_tls=<n>  specifies  the  TLS
         security  strength  factor  to  require  for  directory
         updates.  update_sasl=<n> specifies the  SASL  security
         strength  factor  to  require  for  directory  updates.
         simple_bind=<n> specifies the security strength  factor
         required  for  simple username/password authentication.
         Note that the transport factor is measure  of  security
         provided  by  the  underlying  transport, e.g. ldapi://
         (and eventually IPSEC).  It is not normally used.


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html