[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL2 and Openldap



--On Thursday, March 10, 2016 3:02 PM -0500 Jerry <jerry@seibercom.net> wrote:

On Thu, 10 Mar 2016 10:47:51 -0800, Quanah Gibson-Mount stated:

--On Thursday, March 10, 2016 1:05 PM -0500 Jerry
<jerry@seibercom.net> wrote:

> I just started creating a new server with FreeBSD 11. I installed
> the openldap port. Now I am trying to figure out how to get sasl2
> up and running. Openldap is running fine now without it, but I want
> to secure it further. Can anyone suggest a good "How to" on how to
> accomplish this on a FreeBSD OS (if that makes any difference).
> Examples are welcomed :)

What is it you want to do, exactly?

Right now, it is my understanding that everything passes through in
clear text. I wanted to enforce TLS. Maybe it is not a big deal. I
have been reading where it is suppose to be a good idea.

I found this URL <http://www.openldap.org/faq/data/cache/185.html>. I am
going to give it a try and see what happens.

Enforcing TLS on the connection has zero to do with SASL. You /could/ set up SASL/EXTERNAL as an authentication mechanism by doing cert authentication, or you could use other SASL authentication mechanisms such as SASL/GSSAPI, etc, all of which also encrypt the connection as well. You can (and there often is) TLS encryption on the connection in addition to encryption provided by various SASL mechanisms. However, a lot of software is brain dead and doesn't even know how to do SASL authentication, so invariably one ends up having to support simple binds anyway, at which point forcing encryption via TLS is useful.

However, no matter what you do, with ldap on port 389, there is no way to prevent the client from sending the DN + Password in the clear to the server when using simple binds, even if the server enforces encryption.

--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc