[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: forcing encryption for external server access while allowing unencrypted localhost connections
Robert Henjes <henjes@informatik.uni-wuerzburg.de> writes:
> Sorry for reopening / reasking the following issue.
>
> I tried to scan through all posts, but this answer seemed to be the
> closest one to my problem. (We're using OpenLDAP 2.4 on Debian Lenny)
[...]
> Situation: For deployment we want to use TLS client certificates, as
> far as possible, using TLS encryption all the way long.
>
> Problem: Apache Directory Studio, as well as JXplorer do not support
> (TLS) client certificate verification, what is agreed not to be a
> topic of openldap. But anyway...
Why do you use this broken clients at all? There are adminstration
clients that do support tls and startTLS and most of extend
operations.
> My proposed solution: * All clients, which support client certificate
> verification, should directly connect using TLS to the LDAP server. *
> All clients, esp. the management tools, should establish a ssh-tunnel
> to the server and connect through localhost entity. * (optional)
> specific clients should be able to connect via specific access rules
> (but this is a future topic ;) )
>
[...]
> # Security considerations (TESTING!!!!) #
> http://www.openldap.org/lists/openldap-software/200409/msg00535.html #
> access from 127.0.0.1 without encryption access to
> dn.subtree="dc=example,dc=com"
> by peername.ip=127.0.0.1 write
> by * none break # worldwide access requires tls encryption
> access to dn.subtree="dc=example,dc=com"
> by ssf=128 write
> by * none
If your question only is related to unencrypted connection from
localhost, why don't you connect via local socket only? That is via
ldapi:///
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E