[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS / secure ldap transactions, userPassword hashing questions

Thanks for the response.

--- Aaron Richton <richton@nbcs.rutgers.edu> wrote:

> This e-mail appears to be premised on out of date information. It
> sounds
> like you're implementing a new server; I strongly suggest using the
> latest
> version of OpenLDAP 2.3 available from openldap.org.

Yes, this would be a new implementation.  I have not yet installed
OpenLDAP, so I am using the documentation available via the
openldap.org website.

> If nothing else,
> the
> documentation improvements will save you time; in these answers, I
> refer
> to documentation provided with OpenLDAP 2.3.4.

I've been using the Administrator's Guide from the web site.  I just
downloaded the 2.3.4 release and the guide in the tarball is dated 10
May 2005, just like the version on the web site.  Looks like it needs
updating to synchronize with the new/removed configuration keywords.

The manpage I've been using is also the one on the web site, from
2.3-Release, which I had presumed would be updated whatever the release
sub-level was.

> > require strong
> would require SASL (unlikely to help in your case?) or TLS on all
> sessions
> at all times.

Right, that's why I was wondering if there was a "require tls" or
equivalent.  It seems like "security tls=128" or the like will do what
I want.

> > disallow bind_simple_unprotected
> This directive no longer exists. There's "security simple_bind=X"
> which
> allows the same concept; it requires SSF X for simple (i.e. non-SASL)
> binds.

OK, then apparently the manpage _is_ canonical.
> 2.3.4's slapd.conf(5) manpage mentions six "first-class" <hash>
> options.
> There are more "pseudo-hash" options (SPASSWD comes to mind)
> available.
> Those are only useful if you have a supported external password
> store.
So it would seem the short answer to my question is I either choose one
of the ones listed in the manpage, or do something like add the
additional hash support to crypt() itself, which doesn't appeal to me
since I'd be changing one of the distributed-with-the-OS-core

Would it a big deal to make a feature request for something like
SHA-256, SHA-512, and/or Blowfish support?

Start your day with Yahoo! - make it your home page