Re: TLS / secure ldap transactions, userPassword hashing questions

[Aaron Richton <richton@nbcs.rutgers.edu>]

This e-mail appears to be premised on out of date information. It sounds
like you're implementing a new server; I strongly suggest using the latest
version of OpenLDAP 2.3 available from openldap.org. If nothing else, the
documentation improvements will save you time; in these answers, I refer
to documentation provided with OpenLDAP 2.3.4.

> require strong
would require SASL (unlikely to help in your case?) or TLS on all sessions
at all times.

> disallow bind_simple_unprotected
This directive no longer exists. There's "security simple_bind=X" which
allows the same concept; it requires SSF X for simple (i.e. non-SASL)
binds.

However, you say
> 1. I want to make sure all ldap sessions occur via TLS, enforced by

for which I would suggest the configuration directive "security tls=X"
(where X is a strength factor; i.e. 1 to allow any flavor, but a number
like 56 might be reasonable too.)

> Also, I've noticed sometimes keywords are mentioned in the
> Administrator's guide that are not in the slapd.conf manpage, such as
> the aforementioned "bind_simple_unprotected" .  Is there a similar
> require keyword that specifically refers to TLS (rather than just
> "strong", for which both SASL and TLS qualify)?

bind_simple_unprotected no longer exists, which might explain why it's
missing from your documentation. The above mentioned "security tls" refers
specifically to TLS.

> read the slapd.conf manpage's password-hash section.  Looking there, I
> see no mention of "stronger" hashes than standard SHA (or SSHA) nor if

2.3.4's slapd.conf(5) manpage mentions six "first-class" <hash> options.
There are more "pseudo-hash" options (SPASSWD comes to mind) available.
Those are only useful if you have a supported external password store.