[Date Prev][Date Next] [Chronological] [Thread] [Top]

secure ldap remotely (TLS handshake error)

Udv / Greetings!

I have revised the prevoious list postings, but unfortunately I'm in
deeper trouble with openldap as before.

On a debian etch machine, I'm running a simple slapd instance with
HDB. I have to connect to this from the internet. Still this time it
was working only locally and quite fine. So I've started to look afte
r if I can manage security somehow.

I have read about the differences between LDAPS, STARTTLS and so. The
facts I've collected:

- by using the TLSCertificateFile and other options I can use my own
selfigned cert.

- ldaps is a non standard method and works only locally originated

- ldap and starttls command can be managed to work non locally. now
the questions. So if I connect from a remote machine to the standard
port, how to tell the ldap client to start tls?

- Also, I've looked for other ways. there are security ssf options, that must work. By using any form
the security ssf options, other softwares or even the ldapsearch
function can not connect, tough slapd is running.

So I want to achieve the following:

- access the ldap remotely on a secure manner, I do not care if it is
 TLS or some ldap managed stuff. I do not want to use sasl, I have my
 accounts defined in the ldap directory, I do not need some kinda
 outsider auth mechanism.

IS THIS possible?

I've already have the client cert, the tls options set in the config,
and ldap is listening on ldap://host, and no "security ssf" options
defined. I want to secure all transfers (passwords already MD5 or SHA)

If TLS does not work, what to do now? Thank you for the answer.

sw info: latest stable openldap compiled from source, with latest

Thomas Elias
Title: *NIX System administrator, Certified Cisco Network Engineer, Pascal/Bash/C++ programmer, Certified IBM UDB DB2 Database Administrator
mailto: elias.tamas@uni-pen.hu, elias.tamas@pszinfo.hu, elias.tamas@vagyok.eu, eliast@nagykanizsa.hu
Tel.: +3630/4971626
ICQ UIN: 206-714-459 ; SKYPE: "elias.tamas"
OpenPGP public key: http://pszinfo.hu/elias.tamas.asc
Quote: "Too many people making too many problems (InFlames)"

Attachment: pgpGYnfdKQgH4.pgp
Description: PGP signature