[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: security measures

To: james@unixpac.com.au
Subject: Re: security measures
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 13 Jan 2001 15:16:34 -0800
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
In-reply-to: <3A5D5E74.7E2727BE@linuxplaza.com.au>

At 06:19 PM 1/11/01 +1100, James Gregory wrote:
>Hi,
>
>First of all, for anyone who was interested the problem with extremely
>slow ldap - it was a faulty hub.
>
>Now, Having (thankfully) gotten past that little hurdle, I'm onto the
>issue of how to best configure openldap. Currently I'm concerned with
>security. Basically we want something which is sufficiently secure
>(though I'm not too fussed about that, it's over an IPsec vpn, I'd just
>like to stop people on the local network being able to pull passwords
>straight off the network with a sniffer). And it needs to be very easy
>to maintain.

I would suggest you make use of one of the secure authentication
methods for LDAP (RFC2829), DIGEST-MD5 or simple w/ StartTLS or,
once fully implemented, SASL/EXTERNAL w/ TLS/X.509.  I also recommend
GSSAPI for Kerberos users.

>I understand that SASL requires a separate config file which needs to be
>modified for each user we want to authenticate against, is that right?

Depends on the mechanism.  For DIGEST-MD5, you need to use saslDB.
For PLAIN, there are numerous options (see archives for recent discussions)
[of course, PLAIN is just as insecure as LDAP simple authentication].

>how complex is this file?

SASLdb is an embedded database, normally BerkeleyDB or GDBM.  

>would it be easy to write a perl script to add
>users to it?

There is a C API as well as a command line tool, saslpasswd, for
working with SASLdb.

>Next point, is ssl easy to setup?

SSL and TLS (which replaces SSL) is fairly easy to setup without
client authentication, yes.  With client authentication requires
server modifications to work properly.  See archives for details.

>is there a flag on pam_ldap I need to
>set to force it to use ssl?

Haven't a clue.  I don't use pam_ldap.  [I use Kerberos].

>how secure is ssl?

Well, TLS is quite secure if used properly.  If used improperly,
it can add no security.

>Is it difficult to set up?

See above comment.

>I tried building with ssl and without ssl, and I'm getting failures when
>I use -ZZ on ldap search.  
>
>Here's the error:
>ldap_start_tls: Success
>        additional info: error:14077410:SSL
>routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
>[root@fileserver /root]# 

What does slapd say?

References:
- security measures
  - From: James Gregory <james@linuxplaza.com.au>

Prev by Date: RE: security measures
Next by Date: Ldap as authentication system (based on RFC2307)
Index(es):
- Chronological
- Thread