[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: TLS or plain?
It is my understanding that when a client connects
to a server using ldaps://.... instead of ldap://...
then a TLS session is first negotiated with the server,
then the client uses whatever "method" is specified...
i.e. it could use authentication... "simple", "sasl", "Kerberos", etc.
There isn't a "tls-simple" authentication method.
I've used ldapsearch on an AIX system to connect to
Active Directory LDAP server on a Windows System using a
"ldaps://..." URI to identify Active Directory, and
specified "-x" to use simple authentication
instead of SASL.
I no longer have a TLS enabled ActiveDirectory domain,
but here's a trace of an attempt to run ldapsearch against
ActiveDirectory:
Command:
ldapsearch \
-x \
-d 255 \
-H ldaps://activedirhost.example.com \
-b dc=activedirhost,dc=example,dc=com \
-D cn=my_ad_user,cn=users,dc=activedirhost,dc=example,dc=com \
-w my_passwd \
'(&(objectclass=person)(sAMAccountName=my_ad_user))'
Response:
ldap_create
ldap_url_parse_ext(ldaps://activedirhost.example.com)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP activedirhost.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying XX.XX.XX.XX:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=activedirhost.example.com
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 16 00 00
.z....Q... .....
0010: 13 00 00 0a 07 00 c0 00 00 66 00 00 05 00 00 04
.........f......
0020: 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00
...........e..d.
0030: 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00
.c..b..a..`.....
0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
......@.........
0050: 00 00 06 00 00 03 04 00 80 02 00 80 fb fa e9 ff
................
0060: bb 97 d2 49 a5 58 75 f1 d9 04 26 4e 96 6d 95 5d
...I.Xu...&N.m.]
0070: 78 0d bf 48 60 be 53 4f 1f 21 f9 54
x..H`.SO.!.T
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7 error=Connection reset by peer
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
You'll notice ldapsearch connected to the host and immediately tried
creating a TLS session....
-tony
-----Original Message-----
From: Beast [mailto:beast@setuid.com]
Sent: Saturday, July 19, 2003 12:04 AM
To: openldap-software@OpenLDAP.org
Subject: Re: TLS or plain?
Saturday, July 19, 2003, 12:35:42 PM, Tony wrote:
> method=128
> 128 (in decimal) = 80 (in hex)
> which is shown below as 0x80U ... for LDAP_AUTH_SIMPLE
That's I already understand (hopefully :=), but my question is what is the
value for the methods :
1. simple auth connection *with TLS* = ?
2. simple auth connection *with SSL* = ?
3. simple auth connection (without TLS and SSl/plain) = ?
4. strong auth (sasl) connection *with TLS* = ?
etc...
Afaik, "LDAP_AUTH_SIMPLE (128)" is just like specifying option -x (eg.
ldapsearch -x ...) but nothing to do with encryption, or did I
missunderstood here? Tks.
>> # pwd ; grep LDAP_AUTH ldap.h
>> ...../openldap-2.1.22/include
>> #define LDAP_AUTH_NONE ((ber_tag_t) 0x00U) /* no
>> authentication */
>> #define LDAP_AUTH_SIMPLE ((ber_tag_t) 0x80U) /* context
>> specific + primitive */
>> #define LDAP_AUTH_SASL ((ber_tag_t) 0xa3U) /* context specific +
>> constructed */
>> #define LDAP_AUTH_KRBV4 ((ber_tag_t) 0xffU) /* means do both of the
>> following */
>> #define LDAP_AUTH_KRBV41 ((ber_tag_t) 0x81U) /* context
>> specific + primitive */
>> #define LDAP_AUTH_KRBV42 ((ber_tag_t) 0x82U) /* context
>> specific + primitive */
>> #define LDAP_AUTH_METHOD_NOT_SUPPORTED 0x07
>> #define LDAP_STRONG_AUTH_NOT_SUPPORTED LDAP_AUTH_METHOD_NOT_SUPPORTED
>> #define LDAP_AUTH_UNKNOWN 0x56
--beast