[Date Prev][Date Next]
Re: failover config: servers with same DNS address and TLS, subjectAltName extension
Emmanuel Dreyfus wrote:
On Mon, Jul 23, 2007 at 09:58:37PM -0700, Howard Chu wrote:
This only works with recent OpenSSL 0.9.8 releases. You didn't mention
which version of OpenSSL you're using. And since this entire subject is
purely an OpenSSL matter and not an LDAP matter, that's a pretty key piece
# Cannot get this working!
I used 0.9.7d.
That information (a minimal version of OpenSSL is required for it to work)
is quite important. Where was I supposed to find it? I've lost a few hours
trying to get CRLworking, I'd have been better reading the right document.
When you run OpenLDAP's configure script you will see:
checking OpenSSL library version (CRL checking capability)... no
indicating that your OpenSSL library doesn't support it. Otherwise I suppose
you would see in your OpenSSL release notes/docs.
Setting "sasl-secprops none" is never a good idea. Why did you put this
Install ca.crt and srv1.crt (srv2.crt) on srv1 (srv2), and configure slapd,
with this in slapd.conf:
I have users using plaintext login/password through TLS. Those are validated
through SASL. As I understood, using plaintext password requires
"sasl-secprops none", is that wrong?
No, that's not what it does. It turns off all security requirements in the
SASL layer, allowing all insecure mechanisms to be used. A rather big
mistake, after you've gone to the trouble of enabling secure authentication
In my setup, the syncrepl consumer uses certificate and gets sensitive
information such as userPassword. Users can use plaintext password over
TLS and cannot get password hashes. Is it that odd?
You posted your email as if it was a general solution for anybody trying to
solve the aliased server name problem for TLS certificates. This part of your
config is not part of that general solution, it is specific to your deployment.
In particular, the sasl-secprops setting is a global option and affects all
connections, whether they use TLS or not. As such, you are allowing users to
use login/plain over cleartext connections as well as TLS connections. You
might have taken precautions against this in the other parts of your slapd.conf
(using the security directive) but you didn't indicate those precautions
anywhere in what you posted. So you will mislead anyone following your advice
into leaving their servers quite vulnerable.
If you've actually got information in your directory that you've gone to the
trouble of protecting with TLS, you should never allow plaintext authentication
mechanisms. Use CRAM-MD5 at least.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/