Is there some way to ensure that a client who connects on port 389 can do nothing without StartTLS?
Or is it necessary to just disable port 389 and only listen for ldaps:/// ?
Am Sun, 26 Feb 2012 11:49:14 +0100 schrieb Daniel Pocock daniel@pocock.com.au:
Is there some way to ensure that a client who connects on port 389 can do nothing without StartTLS?
Or is it necessary to just disable port 389 and only listen for ldaps:/// ?
read on TLS OPTIONS in man ldap.conf(5) and man slapd.conf(5)
-Dieter
On 26/02/12 12:15, Dieter Klünter wrote:
Am Sun, 26 Feb 2012 11:49:14 +0100 schrieb Daniel Pocock daniel@pocock.com.au:
Is there some way to ensure that a client who connects on port 389 can do nothing without StartTLS?
Or is it necessary to just disable port 389 and only listen for ldaps:/// ?
read on TLS OPTIONS in man ldap.conf(5) and man slapd.conf(5)
Thanks for the fast reply
I'm not keen to rely on ldap.conf (client side config) - I want to enforce a preference for TLS from the server side, to avoid a situation where some application might be configured non-TLS by mistake.
I've looked at the TLS options and I have TLS running fine already. I notice the TLSCipherSuite option sets the cipher level within TLS, but it doesn't appear to guarantee that TLS is used.
To make an analogy, in postfix, I require `plain' authentication: but the client is not allowed to try to authenticate until it has done StartTLS, because I never want a client to try sending a password over a channel that is not encrypted.
For the moment, I have just disabled port 389
On 26/2/2012 1:39 μμ, Daniel Pocock wrote:
I've looked at the TLS options and I have TLS running fine already. I notice the TLSCipherSuite option sets the cipher level within TLS, but it doesn't appear to guarantee that TLS is used.
I am not an expert on it, but I have found this solution: http://www.openldap.org/lists/openldap-software/200707/msg00341.html on the issue, although I haven't used it myself (but I am planning to).
I believe it does what you want.
If there is another solution, more straightforward, using simply configuration directives, I don't know.
Best regards, Nick
Am Sun, 26 Feb 2012 12:39:26 +0100 schrieb Daniel Pocock daniel@pocock.com.au:
On 26/02/12 12:15, Dieter Klünter wrote:
Am Sun, 26 Feb 2012 11:49:14 +0100 schrieb Daniel Pocock daniel@pocock.com.au:
Is there some way to ensure that a client who connects on port 389 can do nothing without StartTLS?
Or is it necessary to just disable port 389 and only listen for ldaps:/// ?
read on TLS OPTIONS in man ldap.conf(5) and man slapd.conf(5)
Thanks for the fast reply
I'm not keen to rely on ldap.conf (client side config) - I want to enforce a preference for TLS from the server side, to avoid a situation where some application might be configured non-TLS by mistake.
I've looked at the TLS options and I have TLS running fine already. I notice the TLSCipherSuite option sets the cipher level within TLS, but it doesn't appear to guarantee that TLS is used.
From man slapd.conf
TLSVerifyClient <level> demand | hard | true These keywords are all equivalent, for compatibility reasons. The client certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
To make an analogy, in postfix, I require `plain' authentication: but the client is not allowed to try to authenticate until it has done StartTLS, because I never want a client to try sending a password over a channel that is not encrypted.
Postfix is a LDAP client, thus all client configurations apply according to man ldap.conf(5).
-Dieter
If you want to disable simple bind (password) etc. without encryption, you might go along the lines:
security ssf=1 update_ssf=112 simple_bind=112
in slapd.conf
Am Sun, 26 Feb 2012 11:49:14 +0100 schrieb Daniel Pocock daniel@pocock.com.au:
Is there some way to ensure that a client who connects on port 389 can do nothing without StartTLS?
Or is it necessary to just disable port 389 and only listen for ldaps:/// ?
That would be another option, its feasibility depending on your environment.
kind regards /markus
Dieter Klünter wrote:
Am Sun, 26 Feb 2012 12:39:26 +0100 schrieb Daniel Pocockdaniel@pocock.com.au:
On 26/02/12 12:15, Dieter Klünter wrote:
Am Sun, 26 Feb 2012 11:49:14 +0100 schrieb Daniel Pocockdaniel@pocock.com.au:
Is there some way to ensure that a client who connects on port 389 can do nothing without StartTLS?
Or is it necessary to just disable port 389 and only listen for ldaps:/// ?
read on TLS OPTIONS in man ldap.conf(5) and man slapd.conf(5)
Thanks for the fast reply
I'm not keen to rely on ldap.conf (client side config) - I want to enforce a preference for TLS from the server side, to avoid a situation where some application might be configured non-TLS by mistake.
I've looked at the TLS options and I have TLS running fine already. I notice the TLSCipherSuite option sets the cipher level within TLS, but it doesn't appear to guarantee that TLS is used.
From man slapd.conf
TLSVerifyClient<level> demand | hard | true These keywords are all equivalent, for compatibility reasons. The client certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
To make an analogy, in postfix, I require `plain' authentication: but the client is not allowed to try to authenticate until it has done StartTLS, because I never want a client to try sending a password over a channel that is not encrypted.
Postfix is a LDAP client, thus all client configurations apply according to man ldap.conf(5).
Dieter, no.
Josh Miller's post was correct. http://www.openldap.org/lists/openldap-technical/201202/msg00414.html
Look at the options for setting ssf (Security Strength Factors):
http://www.openldap.org/doc/admin24/access-control.html#Granting%20and%20Den...)
I typically setup a global minssf of 256 to ensure maximum security, when possible via the 'security minssf=256'.
re: man slapd.conf
HTH,
Joshua Miller ITSA Consulting, LLC http://itsecureadmin.com/
On Feb 26, 2012, at 2:49 AM, Daniel Pocock wrote:
Is there some way to ensure that a client who connects on port 389 can do nothing without StartTLS?
Or is it necessary to just disable port 389 and only listen for ldaps:/// ?
openldap-technical@openldap.org
-
Daniel Pocock -
Dieter Klünter -
Howard Chu -
Josh Miller -
Markus Wernig -
Nick Milas