[Date Prev][Date Next] [Chronological] [Thread] [Top]

difference between ldaps and startTLS

To: "Carl Litt" <carl@execulink.com>
Subject: difference between ldaps and startTLS
From: Lise Didillon <ldidillon@prologue-software.fr>
Date: Tue, 06 May 2003 10:12:28 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <00aa01c31332$a57ea9a0$050befd1@execulink.net>
References: <3EB686E4.10904@atira.dk>

Could you explain me the difference between ldaps and TLS over 389, I never really understand it. An other problem is if I run slapd only with ldaps I'm sure that nobody can access to the slapd server without SSL. It's not the case if I use the extended operation startTLS.

thank you to help me
Lise Didillon

At 14:17 05/05/03 -0400, you wrote:

The lookup in /etc/hosts.{allow,deny} is usually based on the executable
name.  This is hard-coded in the source, and in OpenLDAP it's "slapd".
So no, you could not use tcpwrappers this way.

But that's fine because tcpwrappers is not your best choice for security
anymore.  By the time tcpwrappers can do anything, the packet has
already made it past your kernel and into the userspace process (eg.
slapd).  Not only that but if you're using any DNS lookups in your
hosts.* files you're prone to DNS outages or DNS-spoofing.

Your best bet is to ditch tcpwrappers and go with kernel packet
filtering.  How you would go about this depends on your OS, but all will
be able to filter based on destination port.  So in your case you would
develop a list of hosts/networks to provide LDAP (389/tcp) service to
and another list for LDAPS (636/tcp).  Here is an example using Linux
iptables (suitable for use with iptables-restore):

# LDAPS
[0:0] -A INPUT -i eth0 -p tcp -m tcp -s 192.168.1.0/27 --dport 636 -j
ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp -s 192.168.7.128/28 --dport 636 -j
ACCEPT
...
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 636 -j DROP

# LDAP
[0:0] -A INPUT -i eth0 -p tcp -m tcp -s 172.16.55.0/24 --dport 389 -j
ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 389 -j DROP

Take note that unless you are setting a default-DROP policy in iptables
the final rule in each section must explicitly DROP.

As a final note, LDAPS (636/tcp) is depreciated and never made RFC.  The
proper way is to use TLS over 389.

Carl Litt
Network Administrator
Execulink Internet


----- Original Message -----
From: "Bo Gundersen" <bg@atira.dk>
To: <openldap-software@OpenLDAP.org>
Sent: Monday, May 05, 2003 11:44 AM
Subject: Different tcp wrapper configuration for ldap and ldaps,
possible?


> Hi
>
> I have run into a bit of a problem, I have an semi open OpenLdap
server
> which is currently only responding to ldaps, but I would like to open
> the server for non-ssl connections from a very limited number of
hosts.
>
> However I am not sure how to configure this with tcp wrappers. As I
> understand it, OpenLdap checks the hosts.{allow,deny} files with the
> name of OpenLdap executable and not the name of the actual protocol
> (correct?), and it is therefor impossible to have a very open
> hosts.{allow,deny} for ldaps and a very closed one for ldap.
>
> Is there anyway that I can make OpenLdap use the actual protocol for
> lookups into hosts.{allow,deny} istead of the executable name?
> or do I have to run two different OpenLdap servers to make this work?
>
> Thanks in advance :)
>
> --
> Bo Gundersen
> DBA/Software Developer
> M.Sc.CS.
> www.atira.dk
>
>
>
>

Follow-Ups:
- Re: difference between ldaps and startTLS
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- Different tcp wrapper configuration for ldap and ldaps, possible?
  - From: Bo Gundersen <bg@atira.dk>
- Re: Different tcp wrapper configuration for ldap and ldaps, possible?
  - From: "Carl Litt" <carl@execulink.com>

Prev by Date: getent fails to deliver LDAP entries
Next by Date: Re: RH 9 packages
Index(es):
- Chronological
- Thread