[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: secure ldap remotely (TLS handshake error)

On Monday 17 September 2007 15:08:11 ÃliÃs TamÃs wrote:
> Udv / Greetings!
> I have revised the prevoious list postings, but unfortunately I'm in
> deeper trouble with openldap as before.
> On a debian etch machine, I'm running a simple slapd instance with
> HDB. I have to connect to this from the internet. Still this time it
> was working only locally and quite fine. So I've started to look afte
> r if I can manage security somehow.
> I have read about the differences between LDAPS, STARTTLS and so. The
> facts I've collected:
> - by using the TLSCertificateFile and other options I can use my own
> selfigned cert.
> - ldaps is a non standard method and works only locally originated
> connections.

While ldaps is not AFAIK an IETF standard, it does work remotely (and is the 
only supported method for some software).

> - ldap and starttls command can be managed to work non locally. now
> the questions. So if I connect from a remote machine to the standard
> port, how to tell the ldap client to start tls?

Please see the man page. E.g., you may want to use the -ZZ option.

> - Also, I've looked for other ways. there are security ssf options, that
> must work.

These options are to *enforce* the security required, not to enable it.

> By using any form the security ssf options, other softwares or 
> even the ldapsearch
> function can not connect, tough slapd is running.

Most likely because you didn't enable the security required by your ssf 
configuration. But, since you don't post any examples of the command line or 
the error, I can only guess.

> So I want to achieve the following:
> - access the ldap remotely on a secure manner, I do not care if it is
>  TLS or some ldap managed stuff. I do not want to use sasl, I have my
>  accounts defined in the ldap directory, I do not need some kinda
>  outsider auth mechanism.
> IS THIS possible?


> I've already have the client cert, the tls options set in the config,
> and ldap is listening on ldap://host, and no "security ssf" options
> defined. I want to secure all transfers (passwords already MD5 or SHA)
> If TLS does not work, what to do now? Thank you for the answer.

It does work.

> sw info: latest stable openldap compiled from source, with latest
> openssl.

But, no information on what command line you are using, or the useful error 
messages you should have received.