1:32 p.m.
I have setup my OpenLDAP server to use TLS and I can successfully bind/search/update/etc
over a TLS connection. I have also set olcSecurity. Here is my database:
root@baneling:~/ldif_files# slapcat -F /etc/ldap/slapd.d -s olcDatabase={1}mdb,cn=config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=harmonywave,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym
ous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=harmonywave,dc=com
olcRootPW:: e1NTSEF9dUhDcE1jUUJoWlpuc0twRHBNQkVCUGtmTFA5SC9EYUU=
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: caa04334-6857-1035-9fbb-dd6671002504
creatorsName: cn=admin,cn=config
createTimestamp: 20160215174631Z
olcSecurity: simple_bind=256
olcSecurity: ssf=256
entryCSN: 20160215210910.287865Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20160215210910Z
When I try to do any sort of ldap operation without the -ZZ option then slapd returns a
"TLS confidentiality required" message as it should and as I expect. However, If
I sniff the wire, I still see the attempted bind request with my DN and password in
plaintext.
Is there any way to force clients to use start_tls without sending any credentials over
the wire (a.k.a. return an error message before a bind request is actually submitted) or
does this have to be controlled outside of OpenLDAP?
Thanks,
Joshua
1:50 p.m.
--On Monday, February 15, 2016 2:32 PM -0700 Joshua Schaeffer
<jschaeffer0922(a)gmail.com> wrote:
Is there any way to force clients to use start_tls without sending
any
credentials over the wire
No, unfortunately that was not taken into consideration when the LDAP v3
spec was written.
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc
3:40 p.m.
On 02/15/2016 02:50 PM, Quanah Gibson-Mount wrote:
--On Monday, February 15, 2016 2:32 PM -0700 Joshua Schaeffer
<jschaeffer0922(a)gmail.com> wrote:
> Is there any way to force clients to use start_tls without sending any
> credentials over the wire
No, unfortunately that was not taken into consideration when the LDAP v3 spec was
written.
Okay good to know. Thanks for the quick reply.
Joshua
5:15 p.m.
Joshua Schaeffer wrote:
When I try to do any sort of ldap operation without the -ZZ option
then slapd
returns a "TLS confidentiality required" message as it should and as I expect.
However, If I sniff the wire, I still see the attempted bind request with my DN
and password in plaintext.
Is there any way to force clients to use start_tls without sending any
credentials over the wire (a.k.a. return an error message before a bind request
is actually submitted) or does this have to be controlled outside of OpenLDAP?
Simply use LDAPS (on separate port). It was never defined in a standard but most
LDAP-enabled software supports it.
Ciao, Michael.
6:12 p.m.
Michael Ströder wrote:
Joshua Schaeffer wrote:
> When I try to do any sort of ldap operation without the -ZZ option then slapd
> returns a "TLS confidentiality required" message as it should and as I
expect.
> However, If I sniff the wire, I still see the attempted bind request with my DN
> and password in plaintext.
>
> Is there any way to force clients to use start_tls without sending any
> credentials over the wire (a.k.a. return an error message before a bind request
> is actually submitted) or does this have to be controlled outside of OpenLDAP?
Simply use LDAPS (on separate port). It was never defined in a standard but most
LDAP-enabled software supports it.
Or just use ldaps on the standard port 389. If you only want TLS-protected
sessions there's no reason to support plaintext connections.
And no, there is no way for any setting on the server to prevent clients from
contacting the server in whatever way they choose. If your clients default to
sending in plaintext, you have to fix all of your clients.
Quanah's comment:
No, unfortunately that was not taken into consideration when the LDAP
v3 spec was written.
is a bit of a red herring. The basics of the Bind operation were defined back
in the 1980s in X.500. For performance reasons the protocol is designed with a
1 message request -> 1 message response model. The only way to prevent a
client from sending credentials in the clear would be to break the Bind
request into two message exchanges. Instead of
"I want to Bind as DN xxx with password yyy" ->
<- "OK"
you would have had to do something like
"I want to Bind" ->
<- "OK send me your credentials"
"Here's my DN xxx and password yyy" ->
<- "OK"
Taking twice as many messages would slow down authentication by 2x. Instead of
pessimizing the common case the design assumes that competent administrators
have set up both the clients and the servers.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7:44 p.m.
Michael Ströder wrote:
>
> Simply use LDAPS (on separate port). It was never defined in a standard but most
> LDAP-enabled software supports it.
I did ended up doing this. I had an application that didn't support start_tls on an
ldap URI, but did support ldaps (or at least I couldn't find a way to get it to issue
start_tls).
On 02/15/2016 07:12 PM, Howard Chu wrote:
is a bit of a red herring. The basics of the Bind operation were defined back in the
1980s in X.500. For performance reasons the protocol is designed with a 1 message request
-> 1 message response model. The only way to prevent a client from sending credentials
in the clear would be to break the Bind request into two message exchanges. Instead of
"I want to Bind as DN xxx with password yyy" ->
<- "OK"
you would have had to do something like
"I want to Bind" ->
<- "OK send me your credentials"
"Here's my DN xxx and password yyy" ->
<- "OK"
Taking twice as many messages would slow down authentication by 2x. Instead of
pessimizing the common case the design assumes that competent administrators have set up
both the clients and the servers.
Thanks, this makes sense.
Joshua
8 p.m.
Joshua Schaeffer wrote:
> Michael Ströder wrote:
>>
>> Simply use LDAPS (on separate port). It was never defined in a standard but
>> most
>> LDAP-enabled software supports it.
I did ended up doing this. I had an application that didn't support start_tls
on an ldap URI, but did support ldaps (or at least I couldn't find a way to
get it to issue start_tls).
In OpenLDAP's libldap just use a URL extension:
ldap://host/????starttls
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
2852
days inactive
2853
days old
openldap-technical@openldap.org
7 comments
4 participants
participants (4)
-
Howard Chu -
Joshua Schaeffer -
Michael Ströder -
Quanah Gibson-Mount