[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: about TLS and Openldap ...

To: openldap-software@OpenLDAP.org
Subject: Re: about TLS and Openldap ...
From: Waldemar Brodkorb <waldemar@thinknow.de>
Date: Thu, 20 Dec 2001 14:19:55 +0100
Content-disposition: inline
In-reply-to: <3C21BCBC.3040201@emt.iis.fhg.de>
References: <B0000688802@professeur3.enic.fr> <3C21BCBC.3040201@emt.iis.fhg.de>
User-agent: Mutt/1.3.20i

Hi,
>From the keyboard of Susanne,

> Hi,
> 
> I get my Openldap-2.0.18 working with TLS-Support. I'm using LDAP, PHP 
> 4.0.6, GQ 4.0.1 (I think), pam_ldap and nss_ldap (newest versions) as 
> "clients" - all compiled with TLS/SSL-support.
> But now I'm a little bit concerned about security, because when starting 
> slapd with
> 
> /usr/local/openldap/libexec/slapd -h "ldap:/// ldaps:///" -d 127 -f 
> /usr/local/openldap/etc/openldap/slapd.conf

Your slapd binds to port 636/ldapssl and 389/ldap.
If you don't remove 'ldap:///' your server will also respond on non
encrypted traffic. 
And so you have to be sure that all your LDAP clients use TLS on
Port 636 or STARTTLS on port 389 to communicate with the server.

> Openldap (as far as I understand it) only supports TLS connection 
> without client certificate. Does this mean only "one way" of 
> communication is encrypted?

no.

Is 'ssl yes' & 'port 636'  set in your pam_ldap & pam_nss configuration files?

bye
    Waldemar

-- 
Are your questions smart enough?
http://www.tuxedo.org/~esr/faqs/smart-questions.html

Follow-Ups:
- Re: about TLS and Openldap ...
  - From: Susanne Benkert <benkerts@emt.iis.fhg.de>

References:
- SASL authentication and simple bind
  - From: Jacques Landru <landru@enic.fr>
- about TLS and Openldap ...
  - From: Susanne Benkert <benkerts@emt.iis.fhg.de>

Prev by Date: Re: configure - specify SleepyCat
Next by Date: Re: configure - specify SleepyCat
Index(es):
- Chronological
- Thread