[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections

Robert Henjes <henjes@informatik.uni-wuerzburg.de> writes:

> Sorry for reopening / reasking the following issue.
> I tried to scan through all posts, but this answer seemed to be the
> closest one to my problem. (We're using OpenLDAP 2.4 on Debian Lenny)


> Situation: For deployment we want to use TLS client certificates, as
> far as possible, using TLS encryption all the way long.
> Problem: Apache Directory Studio, as well as JXplorer do not support
> (TLS) client certificate verification, what is agreed not to be a
> topic of openldap. But anyway...

Why do you use this broken clients at all? There are adminstration
clients that do support tls and startTLS and most of extend

> My proposed solution: * All clients, which support client certificate
> verification, should directly connect using TLS to the LDAP server.  *
> All clients, esp. the management tools, should establish a ssh-tunnel
> to the server and connect through localhost entity.  * (optional)
> specific clients should be able to connect via specific access rules
> (but this is a future topic ;) )
> # Security considerations (TESTING!!!!)  #
> http://www.openldap.org/lists/openldap-software/200409/msg00535.html #
> access from without encryption access to
> dn.subtree="dc=example,dc=com"
>         by peername.ip= write
>         by * none break # worldwide access requires tls encryption
> access to dn.subtree="dc=example,dc=com"
>         by ssf=128 write
>         by * none

If your question only is related to unencrypted connection from
localhost, why don't you connect via local socket only? That is via


Dieter Klünter | Systemberatung