[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Require SSL transport?



At 12:25 PM 2/2/01 -0500, Justin Hahn wrote:
>Hrm... It's not entirely clear to me what needs to happen. For example, I
>have the following
>in my slapd.conf
>
>security ssf=128

This says "require 128 bits of encryption."  This encryption can be
provided by any layer (SASL, TLS, or transport).  If the protection
is not present, only operations commands which can be used to initiate
such protections (e.g Start TLS) are allowed.

>and I can't seem to find a disallow or require which does the right thing.
>disallow
>seems to turn OFF SSL in many cases, and require only has requirements for
>SASL, whereas
>I need plaintext binding.

You can use ACLs to restrict simple authentication, for example:
        access to attrs=userPassword
                by ssf=112 auth
                by ssf=128 self write
                by * none

requires 112 bits of encryption for authentication,
but require 128 bits of encryption for write.

>and the following ACL (which sounds like it'd do roughly what I want)
>doesn't work
>
>access to *
>        by ssf=0 none

That's equivalent to saying
  access to * by * none

as all sessions have zero or better encryption.

>I considered trying something like
>
>access to *
>        by ssf=112 none

That's equivalent to
  access to * by * none

as the those 112 or better encryption get none and those
without 112 or better encryption get none (by default).

>but I have no idea whether this would only forbid 3DES binds, or anything
>3DES or lower (the docs don't say, and I wouldn't know where to look in the
>code.)

Both would restrict all access, including binds.


>I can live with not having this sort of restriction, but it changes,
>somewhat, my plans
>for implementation.
>
>
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>> Sent: Friday, February 02, 2001 12:01 PM
>> To: Jens Vagelpohl
>> Cc: Justin Hahn; 'openldap-software@Openldap.org'
>> Subject: Re: Require SSL transport?
>> 
>> 
>> At 11:33 AM 2/2/01 -0500, Jens Vagelpohl wrote:
>> >starting your server with "slapd -h ldaps:///" should prevent it from
>> >listening on anything other than port 636.
>> 
>> But this disallows use of LDAP Start TLS (-Z), the standard track
>> mechanism of initiating TLS (SSL) services.
>> 
>> There are numerous ways to restrict access in OpenLDAP.
>> ACLs support ssf and tls_ssf factors where you can
>> restrict access based upon the strength of the security
>> actually provided by the layer.
>> 
>> There are also various "allows", "disallows", "requires",
>> and "security" slapd.conf(5) statements which can be used
>> to control the behavior of the server.
>> 
>> 
>> >jens
>> >
>> >
>> >
>> >On 2/2/01 10:56, "Justin Hahn" <jhahn@profitlogic.com> wrote:
>> >
>> >> Over the past couple days I've beens setting up OpenLDAP 
>> as a substitute for
>> >> NIS. To do
>> >> this I want all communications done with the LDAP server 
>> to be over SSL
>> >> exclusively. But
>> >> I can't seem to figure out how to get openldap to ignore 
>> requests that
>> >> aren't over SSL.
>> >> (i.e. ldapsearch -ZZ -x '(objectclass=*)' gives me exactly 
>> what I expect,
>> >> but take away -ZZ and I get the same results back. Which 
>> isn't what I want.)
>> >> 
>> >> Is there any ACL I can use to grant no access if SSL isn't 
>> being used? A
>> >> config
>> >> option? A commandline option to slapd?
>> >> 
>> >> Thanks!
>>