[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SSH tunnels
This certainly would be an alternative and could provide strong
encryption (probably even more than required). However, IMO, it
introduces another dependency* in your design, one which you probably
don't need given the availability of SSL/TLS with ldap.
If SSL/TLS is not available to you for whatever reason, another option
is SASL (simple authentication and security layer). I would consider it
an alternative not suitable for the faint of heart.
* The ssh tunnel would need to be in place before ldap starts up and
depending on how you configure it, may require root privileges.
I would also comment that you should consider how the system will react
in case the encrypted tunnel (be that ssh or SSL/TLS) fails. Does it
fail securely and exit with an error (alarm) or proceed talking
cleartext LDAP?
cheers,
Sasha
>-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
>[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of
>Richard Baldwin
>Sent: Wednesday, November 06, 2002 2:00 PM
>To: openldap-software@OpenLDAP.org
>Subject: SSH tunnels
>
>
>Hi,
>
>I have seen a few references to people using SSH tunnels to
>secure LDAP communications, but no discussion as to its
>advisability. Is this a reasonable way to go, or are there
>hidden problems in this approach as compared to SSL/TLS?
>
>Thanks from an LDAP newbie!
>
>_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_
>)_)_)_)_)_)_)_)
>_)
> _)
>_) Richard E. Baldwin
> _)
>_) Geological Survey of Canada voice: 250-363-6740
> _)
>_) Pacific Geoscience Centre fax: 250-363-6565
> _)
>_) 9860 West Saanich Road, Box 6000 email:
>baldwin@pgc.nrcan.gc.ca _)
>_) Sidney, BC, V8L 4B2, CANADA web:
>http://www.pgc.nrcan.gc.ca _)
>_)
> _)
>_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_)_
>)_)_)_)_)_)_)_)
>
- References:
- SSH tunnels
- From: Richard Baldwin <baldwin@pgc.nrcan.gc.ca>