I'd like to set up LDAP command line tools to point to a server -- say localhost -- that has a certificate with an arbitrary name in it -- say `my-domain.com`.
I'm not entirely sure how to my LDAP tools to do that, though -- or if it's possible. By default, OpenLDAP is wound up pretty tight.
-- _jsn
Jason Dusek wrote:
I'd like to set up LDAP command line tools to point to a server -- say localhost -- that has a certificate with an arbitrary name in it -- say `my-domain.com`.
I'm not entirely sure how to my LDAP tools to do that, though -- or if it's possible. By default, OpenLDAP is wound up pretty tight.
You shouldn't use SSL in such a insecure way. I'd recommend to listen on localhost in clear and listen on external interface with SSL. There's no point in accessing ldaps://localhost except for testing.
slapd -h "ldap://127.0.0.1 ldaps://0.0.0.0"
This doesn't allow using StartTLS extended operation on the external interface though.
Or even better use ldapsearch -H ldapi:// (preferrably with SASL/EXTERNAL bind -Y EXTERNAL) for local access if the client apps support it.
slapd -h "ldap://127.0.0.1 ldapi:// ldaps://0.0.0.0"
Ciao, Michael.
Michael Ströder michael@stroeder.com wrote:
You shouldn't use SSL in such a insecure way.
I don't use SSL for anything but encryption. Secure server identity is handled by my DNS setup. I guess if my hosting company wanted to attack me, I'd be in trouble.
The rest of your advice, while sound for testing, doesn't really address my original question.
Your affirmation of best-practices is, of course, to be expected on this list and indeed in the AAA community at larger. I don't operate under the assumption that explanation is endorsement. I'm aware of the danger that I'm getting into. I wouldn't use this mechanism for authenticating across offices, for example.
Jason Dusek wrote:
Michael Ströder michael@stroeder.com wrote:
You shouldn't use SSL in such a insecure way.
I don't use SSL for anything but encryption.
There's no proper authorization without proper authentication. In the case of SSL/TLS the encryption layer can only be securly established if the client checks the server's identity by validating the server's cert and checking the server's name.
Secure server identity is handled by my DNS setup.
It is very unlikely that you can sufficiently protect DNS information unless you use signed DNS zones with DNSSEC also on the client side. Checking the server's fully-qualified domain-name against the CN or the subjectAltName of the server's certificate is a MUST.
Maybe you could elaborate on your particular needs.
Ciao, Michael.
On Friday 11 April 2008 01:42:30 Jason Dusek wrote:
I'd like to set up LDAP command line tools to point to a server -- say localhost -- that has a certificate with an arbitrary name in it -- say `my-domain.com`.
I'm not entirely sure how to my LDAP tools to do that, though -- or if it's possible. By default, OpenLDAP is wound up pretty tight.
Either: 1)Add an entry to /etc/hosts so that the name on the certificate resolves to the correct IP address, and always use the name on any connection where you want certificate validation or 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are using anything besides OpenLDAP software (nss_ldap,pam_ldap) be aware that their configuration is not identical ...
Regards, Buchan
"BM" == Buchan Milne bgmilne@staff.telkomsa.net writes:
I'd like to set up LDAP command line tools to point to a server -- say localhost -- that has a certificate with an arbitrary name in it -- say `my-domain.com`.
BM> Either:
BM> 1)Add an entry to /etc/hosts so that the name on the certificate BM> resolves to the correct IP address, and always use the name on BM> any connection where you want certificate validation or
BM> 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are BM> using anything besides OpenLDAP software (nss_ldap,pam_ldap) be BM> aware that their configuration is not identical ...
or, if you can, use the subjectAltName certificate extension. see the administrator's guide, 14.1.1. works as expected and there's no funky client side configuration required.
k.
On Tuesday 15 April 2008 15:23:11 kevin montuori wrote:
"BM" == Buchan Milne bgmilne@staff.telkomsa.net writes:
I'd like to set up LDAP command line tools to point to a server -- say localhost -- that has a certificate with an arbitrary name in it -- say `my-domain.com`.
BM> Either:
BM> 1)Add an entry to /etc/hosts so that the name on the certificate BM> resolves to the correct IP address, and always use the name on BM> any connection where you want certificate validation or
BM> 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are BM> using anything besides OpenLDAP software (nss_ldap,pam_ldap) be BM> aware that their configuration is not identical ...
or, if you can, use the subjectAltName certificate extension. see the administrator's guide, 14.1.1. works as expected and there's no funky client side configuration required.
This solution assumes that you can change the cert (and even if you can, whether the CA supports/allows the subject alternative name extension), which is not necessarily a good assumption to make.
Regards, Buchan
On Tue, 15 Apr 2008, Buchan Milne wrote:
On Friday 11 April 2008 01:42:30 Jason Dusek wrote:
I'd like to set up LDAP command line tools to point to a server -- say localhost -- that has a certificate with an arbitrary name in it -- say `my-domain.com`.
...
Either: 1)Add an entry to /etc/hosts so that the name on the certificate resolves to the correct IP address, and always use the name on any connection where you want certificate validation
This should work (assuming the client has the cert of the CA that signed the server cert).
or 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are using anything besides OpenLDAP software (nss_ldap,pam_ldap) be aware that their configuration is not identical ...
This isn't sufficient. "TLS_REQCERT allow" only disables the checking of the certificate validity (known CA, etc) and not the checking of the hostname in the URI vs the names in the cert. To disable the name checking too, you have to use "TLS_REQCERT never".
Such a config has no protection from MitM attacks: you'll accept any cert from any CA.
Philip Guenther
(Correcting the ldap.conf(5) manpage is ITS #4941)
openldap-software@openldap.org
-
Buchan Milne -
Jason Dusek -
kevin montuori -
Michael Ströder -
Philip Guenther