[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to confirm use of TLS...



man, 2002-08-26 kl. 20:38 skrev Ken Kleiner:

>   When running slapd with ldap:/// and ldaps:///, I understand that it
> is listening on port 389 and 636.  If my clients have /etc/ldap.conf
> with an entry of 'ssl start_tls', I assume that means that my session
> is encrypted (i.e. all data passed back and forth from client -> server
> is munged).  

That is, in that case, no doubt what the system administrator for that
machine intended. Whether it happens or not is an other matter.

He has to implement the mechanics, too.
 
>   This being the case, I'm sure it is extremely critical to only allow
> connections to slapd from trusted hosts, using tcp wrappers - correct?

No. Encrypted connections are encrypted connections, and it is
immaterial whether a client/peer is denied/allowed allowed access
through TCP WRAPPERS or not.

> If not, anybody can talk to my 389 port and therefore sniff.

Not if the connection is encrypted they can't. You can effect encrypted
connections/binds on any port you wish. Including 389 and 636. Nor do
you have to run any service whatsoever on port 389, if you don't want
to.

>   I have tested with just ldaps:///, and it works, but I fear I can't
> use slurpd/replication unless I use 389 - is that right?

No :-)

Best,

Tony

-- 

Tony Earnshaw

The usefulness of RTFM is vastly overrated.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981


Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel