[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: about TLS and Openldap ...

Hi Susanne, 
>From the keyboard of Susanne,
> Hi,
> Waldemar Brodkorb wrote:
> >Your slapd binds to port 636/ldapssl and 389/ldap.
> >If you don't remove 'ldap:///' your server will also respond on non
> >encrypted traffic.
> I removed "ldap:///"; and tested it with PHP - the same log as before. 
> But testing with GQ and pam/nss does'nt work properly. I think it's 
> because these clients don't use ldaps over port 636 but start_tls over 
> port 389. Is this a security problem? 

No, I think not. pam_ldap and nss_ldap supports ldaps, gq and slurpd
AFAIK not.

> Also I tried they don't use Port 
> 636, but I thought start_tls is as save as ldaps?????
It is. 
Probably I misunderstood your last posting you wrote:
"the log output shows, that TLS is used in all communications, but
some of the packages I see are in clear text."

How do you acquire the logging information? 
tcpdump/ethereal or logfiles?
Looking at your attachment I guess you analyze your logs.
If an intruder can take a look at the logs it is too late for
encrypting passwords in a network session ;)
To avoid these debugging info's use a smaller loglevel in your
slapd.conf. After I finished the configuration of my LDAP server I
simply set it to zero.

> >And so you have to be sure that all your LDAP clients use TLS on
> >Port 636 or STARTTLS on port 389 to communicate with the server.
> All clients open and close TLS connections and send at least some of the 
> data with encryption.
> Only some packages can be read as cleartext in log output. I attached some 
> typical lines from this output.
> >Is 'ssl yes' & 'port 636'  set in your pam_ldap & pam_nss configuration 
> >files?
> My ldap.conf witch is used by pam_ldap and nis_ldap is also attached to 
> this mail. I alredy tried to set "port 636", but in this case the client 
> can't connect the Ldap-server anyway. But it uses start_tsl.

My working pam_ldap config (pam_ldap 118) as example:
host server
base o=thinknow,c=de
ldap_version 3
port 636
pam_filter objectclass=account
pam_login_attribute uid
pam_password crypt
ssl yes


Are your questions smart enough?