[Date Prev][Date Next]
Re: OpenLDAP issues when connecting over SSL
--On Monday, January 22, 2007 4:42 PM +1100 Jean-Yves Avenard
On 1/22/07, Kurt D. Zeilenga <Kurt@openldap.org> wrote:
You might ask on a list supporting the particular client you
are using how to configure this client to secure LDAP with TLS
You previous post actually help me identify the issue with this
client, and I can get it to work now.
The problem was (as you suggested) that even though it was using port
636, it would issue a Start TLS call, which on an SSL connection isn't
going to work.
I've raised a bug with the supplier on this matter.
Using port 636 (SSL) was an LDAP V2 hack, and was never an officially
supported operation. TLS over port 389 is part of the LDAP v3
specifications, and is supported. Vendors doing start TLS are actually
being LDAP v3 compliant. Vendors doing SSL over 636 are using an old
non-standardized way of doing SSL.
As noted by Kurt, you can force connections to use encryption, using the
"security" statement. I'm not quite sure why you aren't figuring this out
via the slapd.conf man page, it is pretty clear:
Specify a set of security strength factors (separated
by white space) to require (see sasl-secprops's minssf
option for a description of security strength factors).
The directive may be specified globally and/or per-
database. ssf=<n> specifies the overall security
strength factor. transport=<n> specifies the transport
security strength factor. tls=<n> specifies the TLS
security strength factor. sasl=<n> specifies the SASL
security strength factor. update_ssf=<n> specifies the
overall security strength factor to require for
directory updates. update_transport=<n> specifies the
transport security strength factor to require for
directory updates. update_tls=<n> specifies the TLS
security strength factor to require for directory
updates. update_sasl=<n> specifies the SASL security
strength factor to require for directory updates.
simple_bind=<n> specifies the security strength factor
required for simple username/password authentication.
Note that the transport factor is measure of security
provided by the underlying transport, e.g. ldapi://
(and eventually IPSEC). It is not normally used.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html