[Date Prev][Date Next] [Chronological] [Thread] [Top]

security measures


First of all, for anyone who was interested the problem with extremely
slow ldap - it was a faulty hub.

Now, Having (thankfully) gotten past that little hurdle, I'm onto the
issue of how to best configure openldap. Currently I'm concerned with
security. Basically we want something which is sufficiently secure
(though I'm not too fussed about that, it's over an IPsec vpn, I'd just
like to stop people on the local network being able to pull passwords
straight off the network with a sniffer). And it needs to be very easy
to maintain.

I understand that SASL requires a separate config file which needs to be
modified for each user we want to authenticate against, is that right?
how complex is this file? would it be easy to write a perl script to add
users to it?

Next point, is ssl easy to setup? is there a flag on pam_ldap I need to
set to force it to use ssl? how secure is ssl? Is it difficult to set

I tried building with ssl and without ssl, and I'm getting failures when
I use -ZZ on ldap search. I would have thought it should be a
straightforward process of using the ssl socket calls rather than the
berkely sockets ones. Is there something I'm missing?

Here's the error:
ldap_start_tls: Success
        additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
[root@fileserver /root]# 

Thanks for all your help.