[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP TLS/SSL Security problem



tir, 29.06.2004 kl. 23.15 skrev sworden@focal.com:
> I am new to the LDAP sceen.  I've looked through most of the postings on
> this and other pages and found many of the same questions without answers.
> 
> I'm running OpenLDAP 2.1.30, nss_ldap-220, pam_ldap-169, Solaris 2.8 ,
> OpenSSL 0.9.7b 10 Apr 2003.  I am using LDAP for user authentication on all
> UNIX server.  I know Solaris has a LDAP client, but I wanted to use the
> open source.  This may make it easier to do password aging.  I have LDAP
> without TLS running fine.  Only the communication between the client server
> and the master server is in clear text.  I have been trying to use TLS/SSL
> to encrypt it.

> HOST   <LDAP Server FQDN>
> BASE   dc=*********,dc=com
> URI    ldaps://<LDAP Server FQDN>
> TLS_CACER      /usr/local/etc/server.pem
> TLS_CACERTDIR  /usr/local/etc/server.pem
> TLS_KEY        /usr/local/etc/server.pem
> SIZELIMIT      12
> TIMELIMIT      15

In addition to what TF writes, the client should also be able to read
the above cert and be pointed at it in the client's config file (since
the cert is also the CA cert). With regard to the latter, your whole
security model is BLOWN by using a single cert in this manner, since
everyone now has the server's private key and can emulate the server for
their own, evil ends. Produce 3 separate certs: a CA cert, a server
public cert and a server private key. Yes, it involves a little extra
work, but it's the only way to go if you care about security.

--Tonni

-- 

We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.

mail: tonye@billy.demon.nl
http://www.billy.demon.nl