Antwort: OpenLDAP exclusively on SSL [Virus checked]

[denis.havlik@t-mobile.at]

>Hi,
>I'm not sure if I have asked this before but is it advisable (and actually
>desirable from security standpoint) to run ldap only in SSL mode. Any tips
>on accomplishing this? Would it break anything?
>The system I'm talking about is RedHat9 and openLDAP-2.1.22-0.
>Thanks !!

Doing simple bind on unencrypted line is certainly not a good thing. On the other hand, encrypting the whole traffic may be an overkill (depends on the data, of course). If you do simple binds, and data isn't meant to be seen by everyone, then SSL indeed sounds like a sane thing to do. 

On the other hand, "LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS extended operation", so it may be better to skip ldaps altogether, or at last allow both ldaps and ldap+TLS. AFAIK, it is possible to allow simple bind over ldaps://, and only allow SASL bind over ldap:// - not sure what the config option is.

Btw, I have a couple of related questions: 

1) What happens when a client connects over unencrypted channel, and authorises using SASL (for instance SASL/GSSAPI). Does the whole traffic automatically become encrypted afterwards (i.e. does this automatically starts TLS), or not? 

2) AFAIK, TLS allows several different forms of encryption. How can I actually find out which one is used?

cheers
        Denis

T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation

Dr. Denis Havlik,                             eMail: denis.havlik@t-mobile.at
Rennweg 12, Zi. 444                       Phone: +43-1-79-585/6237           
A-1030 Vienna                                  Fax: +43-1-795-85/6584