[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections

Dieter Kluenter wrote:
> There are adminstration
> clients that do support tls and startTLS and most of extend
> operations. 

Well, one has to be careful regarding security aspects of TLS with client cert
authentication. No matter you use LDAP, HTTPS or whatever this only makes
sense if the clients are operated by human end-users who *interactively* enter
a passphrase for a private key stored on disk or a PIN for a private key
stored in a smartcard.

If you have private keys without a passphrase on disk this is no more secure
than having a password for a bind-DN on disk in a config file. In both cases
only local file permissions protect the client credential from being abused.

Using client cert authc with SASL/EXTERNAL for a web-based LDAP client
authenticates the user running the web application. Using client authc with
HTTPS is of no use except you fully trust the web application to correctly
implement Proxy Authorization. I currently don't know any Open Source
web-based LDAP client which does that.

Ciao, Michael.

Michael Ströder
E-Mail: michael@stroeder.com