[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP TLS/SSL Security problem

That's great to know about the security.  I will make three different ones
after I get this to work.  With the spelling corrections from TF and adding
the lines you gave below my authentication isn't working.  As far as LDAP
goes do all my config files look correct with these corrections?  If so,
can I assume it's a SSL problem?  Can you give me some direction to figure
out this problem?


                      Tony Earnshaw                                                                                                         
                      <tonye@billy.demon.nl>            To:      Openldap list <openldap-software@OpenLDAP.org>                             
                      Sent by:                          cc:                                                                                 
                      owner-openldap-software@O         Subject: Re: LDAP TLS/SSL Security problem                                          
                      06/30/2004 06:52 AM                                                                                                   

tir, 29.06.2004 kl. 23.15 skrev sworden@focal.com:
> I am new to the LDAP sceen.  I've looked through most of the postings on
> this and other pages and found many of the same questions without
> I'm running OpenLDAP 2.1.30, nss_ldap-220, pam_ldap-169, Solaris 2.8 ,
> OpenSSL 0.9.7b 10 Apr 2003.  I am using LDAP for user authentication on
> UNIX server.  I know Solaris has a LDAP client, but I wanted to use the
> open source.  This may make it easier to do password aging.  I have LDAP
> without TLS running fine.  Only the communication between the client
> and the master server is in clear text.  I have been trying to use
> to encrypt it.

> HOST   <LDAP Server FQDN>
> BASE   dc=*********,dc=com
> URI    ldaps://<LDAP Server FQDN>
> TLS_CACER      /usr/local/etc/server.pem
> TLS_CACERTDIR  /usr/local/etc/server.pem
> TLS_KEY        /usr/local/etc/server.pem
> SIZELIMIT      12
> TIMELIMIT      15

In addition to what TF writes, the client should also be able to read
the above cert and be pointed at it in the client's config file (since
the cert is also the CA cert). With regard to the latter, your whole
security model is BLOWN by using a single cert in this manner, since
everyone now has the server's private key and can emulate the server for
their own, evil ends. Produce 3 separate certs: a CA cert, a server
public cert and a server private key. Yes, it involves a little extra
work, but it's the only way to go if you care about security.



We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.

mail: tonye@billy.demon.nl