[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSH tunnels

This certainly would be an alternative and could provide strong
encryption  (probably even more than required). However, IMO, it
introduces another dependency* in your design, one which you probably
don't need given the availability of SSL/TLS with ldap. 

If SSL/TLS is not available to you for whatever reason, another option
is SASL (simple authentication and security layer). I would consider it
an alternative not suitable for the faint of heart.

* The ssh tunnel would need to be in place before ldap starts up and
depending on how you configure it, may require root privileges. 

I would also comment that you should consider how the system will react
in case the encrypted tunnel (be that ssh or SSL/TLS) fails. Does it
fail securely and exit with an error (alarm) or proceed talking
cleartext LDAP?


>-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org 
>[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of 
>Richard Baldwin
>Sent: Wednesday, November 06, 2002 2:00 PM
>To: openldap-software@OpenLDAP.org
>Subject: SSH tunnels
>I have seen a few references to people using SSH tunnels to 
>secure LDAP communications, but no discussion as to its 
>advisability. Is this a reasonable way to go, or are there 
>hidden problems in this approach as compared to SSL/TLS?
>Thanks from an LDAP newbie!
>             _)
>_)  Richard E. Baldwin                                         
>             _)
>_)  Geological Survey of Canada         voice:  250-363-6740   
>             _)
>_)  Pacific Geoscience Centre             fax:  250-363-6565   
>             _)
>_)  9860 West Saanich Road, Box 6000    email:  
>baldwin@pgc.nrcan.gc.ca     _)
>_)  Sidney, BC, V8L 4B2, CANADA           web:  
>http://www.pgc.nrcan.gc.ca  _)
>                                            _)