[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS Question

To: Jim C <jcllings@tsunamicomm.net>
Subject: Re: SSL/TLS Question
From: M Butcher <mbutcher@grcomputing.net>
Date: 09 May 2003 20:40:45 -0600
Cc: openldap-software@OpenLDAP.org
In-reply-to: <oproxiz4kg2m5kh9@localhost>
Organization:
References: <3EBC026F.8070906@seakr.com> <oproxiz4kg2m5kh9@localhost>

On Fri, 2003-05-09 at 17:46, Jim C wrote:
> > I'm trying to get SSL/TLS working on LDAP.  I want to force the clients
> ...
> > securely without using "TLS hard" or am I misunderstand this?
> 
> In theory one could try changeing the port on which LDAP gets plain text 
> stuff so that it is different from the TLS port (I believe they are the 
> same port on Mdk) and then either firewall off the one you don't want on 
> the server or use tcp wrappers to eliminate it or whatnot.

This is the idea behind Start TLS -- a server needs only one port, which
it can use for either encrypted or plain text use. OpenLDAP supports
StartTLS, so traffic on port 389 can be encrypted if the client requests
it.

The idea behind the 'security' setting in slapd.conf, if I understand it
correctly, is to be able to require a certain level of security,
regardless of the port. For instance, setting 'security tls=112' will
require that TLS be used (either over LDAPS or with StartTLS) with a
minimum of 112 bit security. Clear text transmissions over port 389
would not be allowed, but encrypted ones would.

That said, I don't think mapping port 389 to LDAPS would work for
clients that support Start TLS. If I recall correctly, the
initialization sequence for LDAPS is different than StartTLS... but I
could be wrong.

Matt

-- 
M Butcher <mbutcher@grcomputing.net>

References:
- SSL/TLS Question
  - From: Nick Couchman <nick@seakr.com>
- Re: SSL/TLS Question
  - From: Jim C <jcllings@tsunamicomm.net>

Prev by Date: Re: SSL/TLS Question
Next by Date: Re: non-kerberos authentication against ldap server
Index(es):
- Chronological
- Thread