[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP TLS server authority verification



Daniel Pocock wrote:
http://tools.ietf.org/html/rfc4513#section-3.1.3 gives some detail about
how a client should check an LDAP server's TLS certificate.  The
language used there is very general though.

Can anyone comment on how OpenLDAP does this, and whether it can be
tweaked from the client side (e.g. through settings in
/etc/ldap/ldap.conf or URI parameters) to mandate a particular policy
for choosing the `reference identity'?

From RFC 4513, "The client determines the type (e.g., DNS name or IP
address) of the reference identity and performs a comparison between the
reference identity and each subjectAltName value of the corresponding
type until a match is produced" is very vague.

My understanding of `reference identity' is that it should be a
statically/administratively configured value on the client host.  On the
other hand, a value derived/mapped from a network source (e.g. DNS SRV
lookup) can never be trusted as a reference identity.  To give an example:

Sounds like you understand it fine. In practice, there are no APIs that tell us whether a DNS lookup used DNSSEC or not. IMO relying on DNS SRV records is dicy, but as long as your certificate trust chains are intact it shouldn't be an issue.

ldap[12].outsource.com:
- are the OpenLDAP hosts (run by an external company)
- both have a TLS certificate with CN=ldap[12].outsource.com, and
subjectAltName mycompany.com

_ldap._tcp.mycompany.com:
- an SRV record pointing to ldap[12].outsource.com
- mycompany.com DNS is not secured (no DNSSEC)

webserver.mycompany.com:
- wants to authenticate a user logging in
- has dc=mycompany,dc=com statically configured in some cfg file, so it
trusts mycompany.com as a `reference identity'
- discovers ldap1.outsource.com from DNS SRV lookup on mycompany.com,
(so the LDAP client should not consider ldap1.outsource.com as a
reference identity, because it is a value from DNS)
- therefore, when it connects to ldap1.outsource.com, if the TLS
certificate contains CN=ldap1.outsource.com only, it would not trust the
connection,
- but when it finds the subjectAltName mycompany.com in the cert too, it
should trust the connection

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/