[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections

To: richard@Goerwitz.com
Subject: Re: forcing encryption for external server access while allowing unencrypted localhost connections
From: Howard Chu <hyc@symas.com>
Date: Tue, 21 Sep 2004 21:13:33 -0700
Cc: Aaron Richton <richton@nbcs.rutgers.edu>, openldap-software@OpenLDAP.org
In-reply-to: <4150CACA.9000009@Goerwitz.COM>
References: <413E1FC9.9080102@rexconsulting.net> <m3u0u95kwc.fsf@marin.l4b.de> <4141E801.5040908@rexconsulting.net> <6.1.2.0.0.20040910141706.0426a150@127.0.0.1> <41477EFB.6090005@rexconsulting.net> <41484179.1050907@Goerwitz.COM> <4148BFCD.9020306@rexconsulting.net> <m3oek6wwrj.fsf@marin.l4b.de> <41498E2F.6090907@Goerwitz.COM> <m3wtyuun6e.fsf@marin.l4b.de> <4150B5B3.5040704@rexconsulting.net> <Pine.SOL.4.58.0409211942190.15275@toolbox.rutgers.edu> <4150CACA.9000009@Goerwitz.COM>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040714

Richard L. Goerwitz III wrote:

Aaron Richton wrote:
I want to be able to specify which listeners require encryption.
If you're willing to concede that 127.0.0.0/8 will never appear outside of your loopback interface, you can synthesize this by checking peer IPs.

# 127.0.0.1 is allowed, regardless of ssf. world at large needs ssf check access to dn.<dnstyle1>=<what1> by peername.ip=127.0.0.1 <access1> by * none break # We're not coming via loopback; ssf must be checked. access to dn.<dnstyle1>=<what1> by ssf=128 <access2> by * none
But what if I'm not accessing any object?  What if I'm just doing
a bind (e.g., using LDAP to check credentials - which happens all
the time in real-world deployments)?  If, e.g., it's a SASL bind
and the server is set with a bind_ssf, then I believe your ACLs
won't have any effect.
Please correct me if I'm wrong.

In that case, then it doesn't seem to matter one way or another. If the SASL bind uses independent credentials (e.g. SASL/GSSAPI or SASL/EXTERNAL) then the authentication is already encrypted. If the SASL bind uses secrets that are stored in LDAP, then the ACLs will take effect. Regardless, the SASL bind will use a secure mechanism by default. If only a Bind is performed and no other data access occurs, there's nothing else to consider.

I believe we've actually been over all this in previous postings,
but I, for one (and I never claimed to be a genius) still don't
think we're all on the same page.  It's probably that I've done a
lousy job of explaining something, so don't feel bad ;-).

Either that or I am just failing to understand some fundamental
concept that's obvious to most everyone else....

I think it's pretty clear what you're asking for. But it's not clear that the alternative spelled out above won't address the need.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: "Richard L. Goerwitz III" <richard@Goerwitz.com>

References:
- forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Chris Paul <openldap@rexconsulting.net>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Chris Paul <openldap@rexconsulting.net>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Chris Paul <openldap@rexconsulting.net>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: "Richard L. Goerwitz III" <richard@Goerwitz.com>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Chris Paul <openldap@rexconsulting.net>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: "Richard L. Goerwitz III" <richard@Goerwitz.com>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Chris Paul <openldap@rexconsulting.net>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: "Richard L. Goerwitz III" <richard@Goerwitz.com>

Prev by Date: Re: forcing encryption for external server access while allowing unencrypted localhost connections
Next by Date: Re: slapd-meta
Index(es):
- Chronological
- Thread