[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forcing TLS encryption



----- Original Message -----
> From: "Chuck Lever" <chuck.lever@oracle.com>
> To: "Wiebe Cazemier" <wiebe@halfgaar.net>
> Cc: openldap-technical@openldap.org
> Sent: Friday, 21 December, 2012 4:39:21 PM
> Subject: Re: Forcing TLS encryption
>
> ...
>  
> I added an olcSecurity attribute to the database directives for the
> parts of the server's DIT where I wish to require TLS.  To start
> with I set the value "tls=1".
> 
> See also:
> 
>   http://itsecureadmin.com/tag/openldap/
> 
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
> 

I got it to work (connection won't be allowed without TLS), but I can still capture the password with tcpdump. To elaborate:

I successfully set tls=1 with:


dn: cn=config
changetype:  modify
add: olcSecurity
olcSecurity: tls=1


When I do an ldapsearch now, it says TLS is required:


$ ldapsearch ldapsearch -Hldap://myhost:389 -D"uid=user,ou=people,dc=domain,dc=com" -W
Enter LDAP Password:
ldap_bind: Confidentiality required (13)
        additional info: TLS confidentiality required


However, when I capture the traffic with tcpdump, I can still see the password being sent. With FTP require TLS, the server rejects the connection after the login command, so you don't get the chance to send your password. Is there a way to do that here too?