[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL problems

On Wednesday, 23 May 2007, Craig wrote:
> I know about the "-x" option. But, once that happens, it looks like the
> passwords are sent in clear text. (I did some packet traces and that's
> what it looks like to me.)
> I need to have passwords sent over an encrypted connection. "-x" doesn't
> give me that.

(I dropped the rest of the thread, since you top-posted ...).

It seems you don't seem to understand the difference between SASL and TLS. 
Since the subject of your mail is about TLS, I assume that simple binds 
(where the cleartext password is sent to the LDAP server) are acceptable, 
*if* they are sent over an encrypted connection (e.g. TLS).

You didn't provide the full commandline your were using, nor any configuration 
you have done on your side, so you can try any of these, depending on your 

1)Always use -ZZ (with -x of course) if your LDAP server supports the STARTTLS 
2)Use an ldaps:// URI, if your LDAP server is listening on the ldaps port 
(e.g. slapd started with -h 'ldap:/// ldaps:///')
3)Set the URI in the OpenLDAP library configuration file 
(usually /etc/openldap/ldap.conf, or /etc/ldap/ldap.conf on Debian) to a URI 
containing ldaps://
4)Enforce encryption on the server side for all operations via the 'security' 
directives in slapd.conf
5)Enforce encryption on the server side for operations on specific attributes 
via the ssf keyword in ACLs ("access" directives).

So, you may want to clarify exactly what you need, exactly what you are doing, 
and how that doesn't currently meet your requirements.


Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader

Attachment: pgpN3slXhgb4I.pgp
Description: PGP signature