Re: forcing encryption for external server access while allowing unencrypted localhost connections
Sorry for reopening / reasking the following issue.
I tried to scan through all posts, but this answer seemed to be the closest one to my problem. (We're using OpenLDAP 2.4 on Debian Lenny)
Link: http://www.openldap.org/lists/openldap-software/200409/msg00535.html
If you're willing to concede that 127.0.0.0/8 will never appear outside of your loopback interface, you can synthesize this by checking peer IPs.
# 127.0.0.1 is allowed, regardless of ssf. world at large needs ssf check access to dn.<dnstyle1>=<what1> by peername.ip=127.0.0.1 <access1> by * none break # We're not coming via loopback; ssf must be checked. access to dn.<dnstyle1>=<what1> by ssf=128 <access2> by * none
Situation: For deployment we want to use TLS client certificates, as far as possible, using TLS encryption all the way long.
Problem: Apache Directory Studio, as well as JXplorer do not support (TLS) client certificate verification, what is agreed not to be a topic of openldap. But anyway...
My proposed solution: * All clients, which support client certificate verification, should directly connect using TLS to the LDAP server. * All clients, esp. the management tools, should establish a ssh-tunnel to the server and connect through localhost entity. * (optional) specific clients should be able to connect via specific access rules (but this is a future topic ;) )
Implementation: This is not clear to me, how the previous posts are related to my problem, and how to configure the OpenLDAP server. I tried several scenarios with varying results, but no one was perfect yet.
Here a snippet of my current slapd.conf: --------------- # the "ssl tls=1" is not necessary due to the special # access rule in the remainder of this configuration
TLSCACertificateFile /etc/ssl/CA/cacert.pem TLSCertificateKeyFile /etc/ssl/private/privkey.pem TLSCertificateFile /etc/ssl/certs/pubkey.pem TLSVerifyClient demand # for highest security
# The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below access to attrs=userPassword,shadowLastChange by peername.ip=127.0.0.1 write by ssf=128 dn="cn=admin,dc=example,dc=com" write by ssf=128 anonymous auth by ssf=128 self write by * none
# Security considerations (TESTING!!!!) # http://www.openldap.org/lists/openldap-software/200409/msg00535.html # access from 127.0.0.1 without encryption access to dn.subtree="dc=example,dc=com" by peername.ip=127.0.0.1 write by * none break # worldwide access requires tls encryption access to dn.subtree="dc=example,dc=com" by ssf=128 write by * none
# Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read
# The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=example,dc=com" write by * read ---------------
Questions: 1) Turing off the option "ssl tls=1" means, a client can contact the server without encryption. If a password is transmitted, it will be rejected, but it is still transmitted unsecure. Due you have any recommendations according this issue? Possible solution: The server only responds to unencrypted requests on the local interface. How can I achieve this? 2) With the above presented solution, I can not change my own password as the desired user (Invalid credentials (49)), only as admin(root). Why? 3) What would be the appropriate way to achieve my goal? * Locking the dc=example,dc=com base from all unencrypted access from "worldwide" hosts. (admin should still have full access, but encryption has to be enforced) * Allowing access to the complete ldap tree without encryption from localhost
Thank you very much, any help or further link is appreciated. I spent almost one week now reading and completing the stuff, but sometimes it works, but a "whole" is left, otherwise only parts of the ldap server are accessible as desired.
Best regards, Robert
Robert Henjes henjes@informatik.uni-wuerzburg.de writes:
Sorry for reopening / reasking the following issue.
I tried to scan through all posts, but this answer seemed to be the closest one to my problem. (We're using OpenLDAP 2.4 on Debian Lenny)
[...]
Situation: For deployment we want to use TLS client certificates, as far as possible, using TLS encryption all the way long.
Problem: Apache Directory Studio, as well as JXplorer do not support (TLS) client certificate verification, what is agreed not to be a topic of openldap. But anyway...
Why do you use this broken clients at all? There are adminstration clients that do support tls and startTLS and most of extend operations.
My proposed solution: * All clients, which support client certificate verification, should directly connect using TLS to the LDAP server. * All clients, esp. the management tools, should establish a ssh-tunnel to the server and connect through localhost entity. * (optional) specific clients should be able to connect via specific access rules (but this is a future topic ;) )
[...]
# Security considerations (TESTING!!!!) # http://www.openldap.org/lists/openldap-software/200409/msg00535.html # access from 127.0.0.1 without encryption access to dn.subtree="dc=example,dc=com" by peername.ip=127.0.0.1 write by * none break # worldwide access requires tls encryption access to dn.subtree="dc=example,dc=com" by ssf=128 write by * none
If your question only is related to unencrypted connection from localhost, why don't you connect via local socket only? That is via ldapi:///
-Dieter
Dieter Kluenter wrote:
There are adminstration clients that do support tls and startTLS and most of extend operations.
Well, one has to be careful regarding security aspects of TLS with client cert authentication. No matter you use LDAP, HTTPS or whatever this only makes sense if the clients are operated by human end-users who *interactively* enter a passphrase for a private key stored on disk or a PIN for a private key stored in a smartcard.
If you have private keys without a passphrase on disk this is no more secure than having a password for a bind-DN on disk in a config file. In both cases only local file permissions protect the client credential from being abused.
Using client cert authc with SASL/EXTERNAL for a web-based LDAP client authenticates the user running the web application. Using client authc with HTTPS is of no use except you fully trust the web application to correctly implement Proxy Authorization. I currently don't know any Open Source web-based LDAP client which does that.
Ciao, Michael.
openldap-software@openldap.org
-
Dieter Kluenter -
Michael Ströder -
Robert Henjes