[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: insecure, convenient use of SSL

To: Jason Dusek <jason.dusek@gmail.com>
Subject: Re: insecure, convenient use of SSL
From: Michael StrÃder <michael@stroeder.com>
Date: Fri, 11 Apr 2008 11:24:42 +0200
Cc: openldap-software@openldap.org
In-reply-to: <42784f260804101642k756f7b3fw564af38b3339fe2@mail.gmail.com>
References: <42784f260804071743v5fc1468aw5035467df632879d@mail.gmail.com> <42784f260804101642k756f7b3fw564af38b3339fe2@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9

Jason Dusek wrote:

 I'd like to set up LDAP command line tools to point to a server
 -- say localhost -- that has a certificate with an arbitrary
 name in it -- say `my-domain.com`.

 I'm not entirely sure how to my LDAP tools to do that, though
 -- or if it's possible. By default, OpenLDAP is wound up pretty
 tight.

You shouldn't use SSL in such a insecure way. I'd recommend to listen on localhost in clear and listen on external interface with SSL. There's no point in accessing ldaps://localhost except for testing.

slapd -h "ldap://127.0.0.1 ldaps://0.0.0.0"

This doesn't allow using StartTLS extended operation on the external interface though.

Or even better use ldapsearch -H ldapi:// (preferrably with SASL/EXTERNAL bind -Y EXTERNAL) for local access if the client apps support it.

slapd -h "ldap://127.0.0.1 ldapi:// ldaps://0.0.0.0"

Ciao, Michael.

Follow-Ups:
- Re: insecure, convenient use of SSL
  - From: "Jason Dusek" <jason.dusek@gmail.com>

References:
- insecure, convenient use of SSL
  - From: "Jason Dusek" <jason.dusek@gmail.com>

Prev by Date: Re: error while adding entry using ldap.jar JAVA API
Next by Date: Re: ppolicy
Index(es):
- Chronological
- Thread