[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: about TLS and Openldap ...

To: maillist-openldap <openldap-software@OpenLDAP.org>
Subject: Re: about TLS and Openldap ...
From: Susanne Benkert <benkerts@emt.iis.fhg.de>
Date: Wed, 02 Jan 2002 13:27:09 +0100
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6) Gecko/20011120

Hi,

Happy new year everybody!
- today not so happy for me, because I have not solved the security
problem yet, although I thought so before Xmas ... :-(


Waldemar Brodkorb wrote:


 > Probably I misunderstood your last posting you wrote:
 > "the log output shows, that TLS is used in all communications, but
 > some of the packages I see are in clear text."
 >
 > How do you acquire the logging information?
 > tcpdump/ethereal or logfiles?


ethereal and logoutput when starting slapd with "-d 127"


With ethereal I found out, that using GQ, PHP and ldapsearch with LDAPS
or TLS seems to work all right - no critical data like passwords can be
read as clear text. Also nss_ldap seems to be OK: I run ethereal when
opening some files and folders, browsing in my home directory and save &
close everything - all messages are sent in ssl-ldap.

But I still have problems with authentification and change user password
(both using pam_ldap)- a ssl connection exists, but critical data is
send with "normal" ldap instead of using ssl.

Some ethereal output from the authentification process:

Protocol:
	 LDAP
Info:
	 Message: Id=4 Bind Request
		  Message Length: 59
		  Version: 3
		  DN: <my DN>
                   Auth Type: Simple (0x00)
                   Password: <my password as clear text>

The following messages are a LDAP Bind Result and another non-ssl
message (Protocol: TCP, but nothing "readable"). All other packages are
ssl-ldap.

Has anybody an idea how to solve this?

Do pam_ldap and nss_ldap need two separate configuration files
(ldap.conf)? Or should both or none of them work properly when using one
file together as I do it now?

Could this be a problem related with SASL? - I built LDAP without SASL
on client side because it could not find the right libs and I thought I
didn't need SASL. But when compiling pam_ldap and nss_ldap they asked
for SASL too and so I copied the lib onto my system (but only one lib,
no complete installation). Could this be the reason for my problems?

Please send me some help.

Greatings,
Susanne

Prev by Date: query on OpenLDAP and kerberosv5 on Linux...
Next by Date: Storing Special German Characters in OpenLDAP as PGP-Directory
Index(es):
- Chronological
- Thread