[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS/SSL problems



Craig said:
[...]
> 
> I know about the "-x" option. But, once that happens, it looks like the
> passwords are sent in clear text. (I did some packet traces and that's
> what it looks like to me.)

That would only happen because an SSL or TLS connection is not being
established. See slapd.conf(5) and ldap.conf(5) for information on forcing
OpenLDAP to use SSL or TLS connections. 

Using ldapsearch -d 7 -x -D <yourdn> -w <yourpassword> ... will show you if
a successful SSL handshake is taking place. If it is not, then there will be
no encryption.

> I need to have passwords sent over an encrypted connection. "-x" doesn't
> give me that.

If you've set things up so that either an LDAP over SSL connection (ldaps)
or an LDAP with TLS (StartTLS) connection is established then everything
that is sent over the link, including passwords, is encrypted.

Unfortunately you've been handed a version of OpenLDAP that is years out of
date. You will probably have better luck on this list (and ultimately with
the software itself) if you upgrade to a current version of OpenLDAP. There
are a number of newer packages available from various sources, including
Symas. Failing that, you can contact your distro provider (Red Hat?).

Cheers,

Matthew Hardin
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
http://www.symas.com

 
> Thanx for the thought, though. :)
> 
> 
> Quanah Gibson-Mount wrote:
> > --On Tuesday, May 22, 2007 6:36 PM -0700 Craig <craig5@pobox.com> wrote:
> >
> >> I am running openldap 2.2.13. I am having a problem getting TLS to
> work.
> >> I have done numerous searches, but most web pages seem to deal with
> >> LDAP/kerberos issues. We do not run kerberos. I am only trying to
> prevent
> >> passwords from being sent in the clear.
> >>
> >> I have followed the instructions on this page:
> >>
> >> http://www.ibm.com/developerworks/linux/library/l-openldap/
> >>
> >>
> >> I am able to run ldapsearch with simple auth:
> >>  > ldapsearch -x
> >>
> >> but, am not able to do any of the following:
> >>  > ldapsearch
> >>  > ldapsearch -X u:myuid
> >>  > ldapsearch -X dn:uid=myuid,ou=People,dc=example,dc=com
> >>
> >> The error is (with "-d 255"):
> >> ...
> >> SASL/GSSAPI authentication started
> >
> > You need to use a lower case x to disable GSSAPI.  i.e.,
> >
> > ldapsearch -x <whatever>
> >
> > --Quanah
> >
> > --
> > Quanah Gibson-Mount
> > Principal Software Engineer
> > Zimbra, Inc
> > --------------------
> > Zimbra ::  the leader in open source messaging and collaboration
> >
> >