[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: about TLS and Openldap ...


Happy new year everybody!
- today not so happy for me, because I have not solved the security
problem yet, although I thought so before Xmas ... :-(

Waldemar Brodkorb wrote:

> Probably I misunderstood your last posting you wrote: > "the log output shows, that TLS is used in all communications, but > some of the packages I see are in clear text." > > How do you acquire the logging information? > tcpdump/ethereal or logfiles?

ethereal and logoutput when starting slapd with "-d 127"

With ethereal I found out, that using GQ, PHP and ldapsearch with LDAPS or TLS seems to work all right - no critical data like passwords can be read as clear text. Also nss_ldap seems to be OK: I run ethereal when opening some files and folders, browsing in my home directory and save & close everything - all messages are sent in ssl-ldap.

But I still have problems with authentification and change user password
(both using pam_ldap)- a ssl connection exists, but critical data is
send with "normal" ldap instead of using ssl.

Some ethereal output from the authentification process:

	 Message: Id=4 Bind Request
		  Message Length: 59
		  Version: 3
		  DN: <my DN>
                   Auth Type: Simple (0x00)
                   Password: <my password as clear text>

The following messages are a LDAP Bind Result and another non-ssl
message (Protocol: TCP, but nothing "readable"). All other packages are

Has anybody an idea how to solve this?

Do pam_ldap and nss_ldap need two separate configuration files
(ldap.conf)? Or should both or none of them work properly when using one
file together as I do it now?

Could this be a problem related with SASL? - I built LDAP without SASL
on client side because it could not find the right libs and I thought I
didn't need SASL. But when compiling pam_ldap and nss_ldap they asked
for SASL too and so I copied the lib onto my system (but only one lib,
no complete installation). Could this be the reason for my problems?

Please send me some help.