[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Disallow ldap operations without start_tls

To: Michael Ströder <michael@stroeder.com>, Joshua Schaeffer <jschaeffer0922@gmail.com>, openldap-technical@openldap.org
Subject: Re: Disallow ldap operations without start_tls
From: Howard Chu <hyc@symas.com>
Date: Tue, 16 Feb 2016 02:12:05 +0000
In-reply-to: <56C27841.4060307@stroeder.com>
References: <56C243ED.2070402@gmail.com> <56C27841.4060307@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 SeaMonkey/2.42a1

Michael Ströder wrote:

Joshua Schaeffer wrote:

When I try to do any sort of ldap operation without the -ZZ option then slapd
returns a "TLS confidentiality required" message as it should and as I expect.
However, If I sniff the wire, I still see the attempted bind request with my DN
and password in plaintext.

Is there any way to force clients to use start_tls without sending any
credentials over the wire (a.k.a. return an error message before a bind request
is actually submitted) or does this have to be controlled outside of OpenLDAP?


Simply use LDAPS (on separate port). It was never defined in a standard but most
LDAP-enabled software supports it.

Or just use ldaps on the standard port 389. If you only want TLS-protectedsessions there's no reason to support plaintext connections.

And no, there is no way for any setting on the server to prevent clients fromcontacting the server in whatever way they choose. If your clients default tosending in plaintext, you have to fix all of your clients.


Quanah's comment:

No, unfortunately that was not taken into consideration when the LDAP v3 spec was written.

is a bit of a red herring. The basics of the Bind operation were defined backin the 1980s in X.500. For performance reasons the protocol is designed with a1 message request -> 1 message response model. The only way to prevent aclient from sending credentials in the clear would be to break the Bindrequest into two message exchanges. Instead of

 "I want to Bind as DN xxx with password yyy" ->
     <- "OK"
you would have had to do something like
 "I want to Bind" ->
     <- "OK send me your credentials"
 "Here's my DN xxx and password yyy" ->
     <- "OK"

Taking twice as many messages would slow down authentication by 2x. Instead ofpessimizing the common case the design assumes that competent administratorshave set up both the clients and the servers.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Disallow ldap operations without start_tls
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>

References:
- Disallow ldap operations without start_tls
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Re: Disallow ldap operations without start_tls
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Disallow ldap operations without start_tls
Next by Date: Re: Disallow ldap operations without start_tls
Index(es):
- Chronological
- Thread