4:42 p.m.
I'd like to set up LDAP command line tools to point to a server
-- say localhost -- that has a certificate with an arbitrary
name in it -- say `my-domain.com`.
I'm not entirely sure how to my LDAP tools to do that, though
-- or if it's possible. By default, OpenLDAP is wound up pretty
tight.
--
_jsn
2:24 a.m.
Jason Dusek wrote:
I'd like to set up LDAP command line tools to point to a server
-- say localhost -- that has a certificate with an arbitrary
name in it -- say `my-domain.com`.
I'm not entirely sure how to my LDAP tools to do that, though
-- or if it's possible. By default, OpenLDAP is wound up pretty
tight.
You shouldn't use SSL in such a insecure way. I'd recommend to listen on
localhost in clear and listen on external interface with SSL. There's
no point in accessing ldaps://localhost except for testing.
slapd -h "ldap://127.0.0.1 ldaps://0.0.0.0"
This doesn't allow using StartTLS extended operation on the external
interface though.
Or even better use ldapsearch -H ldapi:// (preferrably with
SASL/EXTERNAL bind -Y EXTERNAL) for local access if the client apps
support it.
slapd -h "ldap://127.0.0.1 ldapi:// ldaps://0.0.0.0"
Ciao, Michael.
1:55 p.m.
Michael Ströder <michael(a)stroeder.com> wrote:
You shouldn't use SSL in such a insecure way.
I don't use SSL for anything but encryption. Secure server
identity is handled by my DNS setup. I guess if my hosting
company wanted to attack me, I'd be in trouble.
The rest of your advice, while sound for testing, doesn't
really address my original question.
Your affirmation of best-practices is, of course, to be
expected on this list and indeed in the AAA community at
larger. I don't operate under the assumption that explanation
is endorsement. I'm aware of the danger that I'm getting into.
I wouldn't use this mechanism for authenticating across
offices, for example.
--
_jsn
5:51 a.m.
Jason Dusek wrote:
Michael Ströder <michael(a)stroeder.com> wrote:
> You shouldn't use SSL in such a insecure way.
I don't use SSL for anything but encryption.
There's no proper authorization without proper authentication. In the
case of SSL/TLS the encryption layer can only be securly established if
the client checks the server's identity by validating the server's cert
and checking the server's name.
Secure server identity is handled by my DNS setup.
It is very unlikely that you can sufficiently protect DNS information
unless you use signed DNS zones with DNSSEC also on the client side.
Checking the server's fully-qualified domain-name against the CN or the
subjectAltName of the server's certificate is a MUST.
Maybe you could elaborate on your particular needs.
Ciao, Michael.
5:55 a.m.
On Friday 11 April 2008 01:42:30 Jason Dusek wrote:
I'd like to set up LDAP command line tools to point to a server
-- say localhost -- that has a certificate with an arbitrary
name in it -- say `my-domain.com`.
I'm not entirely sure how to my LDAP tools to do that, though
-- or if it's possible. By default, OpenLDAP is wound up pretty
tight.
Either:
1)Add an entry to /etc/hosts so that the name on the certificate resolves to
the correct IP address, and always use the name on any connection where you
want certificate validation
or
2)Add
TLS_REQCERT allow
to the OpenLDAP ldap.conf. If you are using anything besides OpenLDAP software
(nss_ldap,pam_ldap) be aware that their configuration is not identical ...
Regards,
Buchan
6:23 a.m.
>>>> "BM" == Buchan Milne
<bgmilne(a)staff.telkomsa.net> writes:
> I'd like to set up LDAP command line tools to point to a
server
> -- say localhost -- that has a certificate with an arbitrary
> name in it -- say `my-domain.com`.
BM> Either:
BM> 1)Add an entry to /etc/hosts so that the name on the certificate
BM> resolves to the correct IP address, and always use the name on
BM> any connection where you want certificate validation or
BM> 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are
BM> using anything besides OpenLDAP software (nss_ldap,pam_ldap) be
BM> aware that their configuration is not identical ...
or, if you can, use the subjectAltName certificate extension. see the
administrator's guide, 14.1.1. works as expected and there's no funky
client side configuration required.
k.
--
kevin montuori
montuori(a)gmail.com
9:07 a.m.
On Tuesday 15 April 2008 15:23:11 kevin montuori wrote:
>>>>> "BM" == Buchan Milne
<bgmilne(a)staff.telkomsa.net> writes:
>>
>> I'd like to set up LDAP command line tools to point to a server
>> -- say localhost -- that has a certificate with an arbitrary
>> name in it -- say `my-domain.com`.
BM> Either:
BM> 1)Add an entry to /etc/hosts so that the name on the certificate
BM> resolves to the correct IP address, and always use the name on
BM> any connection where you want certificate validation or
BM> 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are
BM> using anything besides OpenLDAP software (nss_ldap,pam_ldap) be
BM> aware that their configuration is not identical ...
or, if you can, use the subjectAltName certificate extension. see the
administrator's guide, 14.1.1. works as expected and there's no funky
client side configuration required.
This solution assumes that you can change the cert (and even if you can,
whether the CA supports/allows the subject alternative name extension), which
is not necessarily a good assumption to make.
Regards,
Buchan
11:46 a.m.
On Tue, 15 Apr 2008, Buchan Milne wrote:
On Friday 11 April 2008 01:42:30 Jason Dusek wrote:
> I'd like to set up LDAP command line tools to point to a server
> -- say localhost -- that has a certificate with an arbitrary
> name in it -- say `my-domain.com`.
...
Either:
1)Add an entry to /etc/hosts so that the name on the certificate
resolves to the correct IP address, and always use the name on any
connection where you want certificate validation
This should work (assuming the client has the cert of the CA that signed
the server cert).
or
2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are using
anything besides OpenLDAP software (nss_ldap,pam_ldap) be aware that
their configuration is not identical ...
This isn't sufficient. "TLS_REQCERT allow" only disables the checking of
the certificate validity (known CA, etc) and not the checking of the
hostname in the URI vs the names in the cert. To disable the name
checking too, you have to use "TLS_REQCERT never".
Such a config has no protection from MitM attacks: you'll accept any cert
from any CA.
Philip Guenther
(Correcting the ldap.conf(5) manpage is ITS #4941)
5714
days inactive
5719
days old
openldap-software@openldap.org
7 comments
5 participants
participants (5)
-
Buchan Milne -
Jason Dusek -
kevin montuori -
Michael Ströder -
Philip Guenther