[Date Prev][Date Next]
Re: about TLS and Openldap ...
Happy new year everybody!
- today not so happy for me, because I have not solved the security
problem yet, although I thought so before Xmas ... :-(
Waldemar Brodkorb wrote:
> Probably I misunderstood your last posting you wrote:
> "the log output shows, that TLS is used in all communications, but
> some of the packages I see are in clear text."
> How do you acquire the logging information?
> tcpdump/ethereal or logfiles?
ethereal and logoutput when starting slapd with "-d 127"
With ethereal I found out, that using GQ, PHP and ldapsearch with LDAPS
or TLS seems to work all right - no critical data like passwords can be
read as clear text. Also nss_ldap seems to be OK: I run ethereal when
opening some files and folders, browsing in my home directory and save &
close everything - all messages are sent in ssl-ldap.
But I still have problems with authentification and change user password
(both using pam_ldap)- a ssl connection exists, but critical data is
send with "normal" ldap instead of using ssl.
Some ethereal output from the authentification process:
Message: Id=4 Bind Request
Message Length: 59
DN: <my DN>
Auth Type: Simple (0x00)
Password: <my password as clear text>
The following messages are a LDAP Bind Result and another non-ssl
message (Protocol: TCP, but nothing "readable"). All other packages are
Has anybody an idea how to solve this?
Do pam_ldap and nss_ldap need two separate configuration files
(ldap.conf)? Or should both or none of them work properly when using one
file together as I do it now?
Could this be a problem related with SASL? - I built LDAP without SASL
on client side because it could not find the right libs and I thought I
didn't need SASL. But when compiling pam_ldap and nss_ldap they asked
for SASL too and so I copied the lib onto my system (but only one lib,
no complete installation). Could this be the reason for my problems?
Please send me some help.