[Date Prev][Date Next]
Re: about TLS and Openldap ...
>From the keyboard of Susanne,
> Waldemar Brodkorb wrote:
> >Your slapd binds to port 636/ldapssl and 389/ldap.
> >If you don't remove 'ldap:///' your server will also respond on non
> >encrypted traffic.
> I removed "ldap:///" and tested it with PHP - the same log as before.
> But testing with GQ and pam/nss does'nt work properly. I think it's
> because these clients don't use ldaps over port 636 but start_tls over
> port 389. Is this a security problem?
No, I think not. pam_ldap and nss_ldap supports ldaps, gq and slurpd
> Also I tried they don't use Port
> 636, but I thought start_tls is as save as ldaps?????
Probably I misunderstood your last posting you wrote:
"the log output shows, that TLS is used in all communications, but
some of the packages I see are in clear text."
How do you acquire the logging information?
tcpdump/ethereal or logfiles?
Looking at your attachment I guess you analyze your logs.
If an intruder can take a look at the logs it is too late for
encrypting passwords in a network session ;)
To avoid these debugging info's use a smaller loglevel in your
slapd.conf. After I finished the configuration of my LDAP server I
simply set it to zero.
> >And so you have to be sure that all your LDAP clients use TLS on
> >Port 636 or STARTTLS on port 389 to communicate with the server.
> All clients open and close TLS connections and send at least some of the
> data with encryption.
> Only some packages can be read as cleartext in log output. I attached some
> typical lines from this output.
> >Is 'ssl yes' & 'port 636' set in your pam_ldap & pam_nss configuration
> My ldap.conf witch is used by pam_ldap and nis_ldap is also attached to
> this mail. I alredy tried to set "port 636", but in this case the client
> can't connect the Ldap-server anyway. But it uses start_tsl.
My working pam_ldap config (pam_ldap 118) as example:
Are your questions smart enough?