[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using different encryption on localhost and networked connections

Robert Henjes wrote:
> My proposed solution:
> * All clients, which support client certificate verification, should
> directly connect using TLS to the LDAP server.

You really want to use client authc during TLS negotiation with the client
having a private key and a public key cert? Note that this does only makes
sense if you have end-users interactively operating the LDAP client software.

> * All clients, esp. the management tools, should establish a ssh-tunnel to
> the server and connect through localhost entity.

I would not mess with an extra SSH tunnel if you already have TLS up and running.

> * (optional) specific clients should be able to connect via specific access
> rules (but this is a future topic ;) )

Please don't take it personally but that's a pretty broad statement.

> Questions:
> 1) Turing off the option "ssl tls=1" means, a client can contact the server
> without encryption. If a password is transmitted, it will be rejected, but
> it is still transmitted unsecure. Due you have any recommendations
> according this issue?

If you want to avoid that particular problem you have to use LDAP over SSL on
a separate port (AKA LDAPS). Because then the SSL/TLS connection MUST be fully
established *before* the LDAP connection.

Note that you cannot by any means prevent a client from doing something really
dumb except by client configuration. Maybe a custom web interface for
administration over HTTPS would be more appropriate for your requirements than
a GUI client?

> Possible solution: The server only responds to unencrypted requests on the
> local interface. How can I achieve this?

Start slapd with appropriate parameters for command-line option -h for LDAP on
localhost and LDAPS for remote connections.

> 2) With the above presented solution, I can not change my own password as the desired user (Invalid credentials (49)), only as admin(root). Why?

You have this ACL:

access to attrs=userPassword,shadowLastChange
        by peername.ip= write
        by ssf=128 dn="cn=admin,dc=example,dc=com" write
        by ssf=128 anonymous auth
        by ssf=128 self write
        by * none

1. It should have as last clause:
        by * auth
2. Are you sure self should be able to write shadowLastChange? Then you cannot
enforce Unix password policy anymore.

Ciao, Michael.