[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enforce remote SSL/TLS

To: openldap-technical@openldap.org
Subject: Re: Enforce remote SSL/TLS
From: Raffael Sahli <public@raffaelsahli.com>
Date: Thu, 24 Nov 2011 16:27:40 +0100
In-reply-to: <4ECE5A7A.2070708@chemische-binding.nl>
References: <4ECD1A07.3060609@chemische-binding.nl> <20111123165102.GC4524@dan.olp.net> <4ECE5A7A.2070708@chemische-binding.nl>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20110917 Thunderbird/7.0

On 11/24/2011 03:53 PM, Kasper Loopstra wrote:

On 11/23/2011 05:51 PM, Dan White wrote:
On 23/11/11 17:06 +0100, Kasper Loopstra wrote:
Dear list,
We are using PAM to authenticate posixUsers against OpenLDAP. Thisworks great, and allows 'local' (ssh) logins. However, we also useLDAP for a number of other services, including remote access andediting via other software. This means we would like to keep ourusers passwords as secure as possible, and enforce encrypted loginsfor all remote hosts. However, PAM should still be able toauthenticate. The manner of encryption is not really important, itjust has to be strong enough to be useful over the internet, andusable for all (or most) clients.
We have tried various solutions with ssf directives in/etc/ldap/slapd.conf as well as the security tls=1 directive. All ofthese attempts broke PAM.
Which PAM ldap module are you using? with PADL's module, you'd want to
configure 'ssl on' (for ldaps:///) or 'ssl starttls' (for starttls over
ldap:///) and also configure the tls_* settings appropriately.
We're using libpam-ldap from Debian, which is indeed the PADL moduleaccording to the comments. Is it really necesary to use SSL whencommunicating within localhost? If it is, that's fine, it just doesn'tseem to be the right way to handle local traffic.

No, it isn't necesary, or you can use ldapi://

For your slapd configuration, see the slapd.conf manpage - the TLS*
options, as well as the 'security' option. If you are wishing to perform
secure connections over ldaps:///, verify that in your slapd initscript,
that you are passing 'ldaps:///' as one of your '-h' command line
parameters.
According to the init file provided by Debian, it seems to be usingthe conf file for this information. Is that correct/possible, orshould we be asking the Debian people?

Debian takes the default config /etc/default/slapd for daemon relatedparameters


Thanks for the quick response,

Kasper Loopstra



--
Raffael Sahli
public@raffaelsahli.com

References:
- Enforce remote SSL/TLS
  - From: Kasper Loopstra <kasperl@chemische-binding.nl>
- Re: Enforce remote SSL/TLS
  - From: Dan White <dwhite@olp.net>
- Re: Enforce remote SSL/TLS
  - From: Kasper Loopstra <kasperl@chemische-binding.nl>

Prev by Date: Re: Enforce remote SSL/TLS
Next by Date: Re: Syncrepl error causes consumers to freeze
Index(es):
- Chronological
- Thread