--On Thursday, March 10, 2016 3:02 PM -0500 Jerry jerry@seibercom.net wrote:
On Thu, 10 Mar 2016 10:47:51 -0800, Quanah Gibson-Mount stated:
--On Thursday, March 10, 2016 1:05 PM -0500 Jerry jerry@seibercom.net wrote:
I just started creating a new server with FreeBSD 11. I installed the openldap port. Now I am trying to figure out how to get sasl2 up and running. Openldap is running fine now without it, but I want to secure it further. Can anyone suggest a good "How to" on how to accomplish this on a FreeBSD OS (if that makes any difference). Examples are welcomed :)
What is it you want to do, exactly?
Right now, it is my understanding that everything passes through in clear text. I wanted to enforce TLS. Maybe it is not a big deal. I have been reading where it is suppose to be a good idea.
I found this URL http://www.openldap.org/faq/data/cache/185.html. I am going to give it a try and see what happens.
Enforcing TLS on the connection has zero to do with SASL. You /could/ set up SASL/EXTERNAL as an authentication mechanism by doing cert authentication, or you could use other SASL authentication mechanisms such as SASL/GSSAPI, etc, all of which also encrypt the connection as well. You can (and there often is) TLS encryption on the connection in addition to encryption provided by various SASL mechanisms. However, a lot of software is brain dead and doesn't even know how to do SASL authentication, so invariably one ends up having to support simple binds anyway, at which point forcing encryption via TLS is useful.
However, no matter what you do, with ldap on port 389, there is no way to prevent the client from sending the DN + Password in the clear to the server when using simple binds, even if the server enforces encryption.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc