[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Antwort: OpenLDAP exclusively on SSL [Virus checked]

1) SASL is independent of SSL and TLS.

2) The chosen encryption isn't reported anywhere. If the specific type
matters to you, you should explicitly set the allowable ciphersuites to
include only the type(s) you want.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of

>I'm not sure if I have asked this before but is it advisable (and actually
>desirable from security standpoint) to run ldap only in SSL mode. Any tips
>on accomplishing this? Would it break anything?
>The system I'm talking about is RedHat9 and openLDAP-2.1.22-0.
>Thanks !!

Doing simple bind on unencrypted line is certainly not a good thing. On the
other hand, encrypting the whole traffic may be an overkill (depends on the
data, of course). If you do simple binds, and data isn't meant to be seen by
everyone, then SSL indeed sounds like a sane thing to do.

On the other hand, "LDAPS protocol is deprecated in favor of the LDAPv3
StartTLS extended operation", so it may be better to skip ldaps altogether,
or at last allow both ldaps and ldap+TLS. AFAIK, it is possible to allow
simple bind over ldaps://, and only allow SASL bind over ldap:// - not sure
what the config option is.

Btw, I have a couple of related questions:

1) What happens when a client connects over unencrypted channel, and
authorises using SASL (for instance SASL/GSSAPI). Does the whole traffic
automatically become encrypted afterwards (i.e. does this automatically
starts TLS), or not?

2) AFAIK, TLS allows several different forms of encryption. How can I
actually find out which one is used?


T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation

Dr. Denis Havlik,                             eMail: denis.havlik@t-mobile.at
Rennweg 12, Zi. 444                       Phone: +43-1-79-585/6237
A-1030 Vienna                                  Fax: +43-1-795-85/6584