FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-14-2012, 11:46 PM
Fajar Priyanto
 
Default LDAP encryption, not sure.

Hi all,
I'm setting up a local LDAP server with a pass-through authentication
to another LDAP.
I'm not clear about the encryption.

Say the case is like this. CompB is set to have LDAP authentication.
A ---> SSH ---> CompB ---> Local LDAP:389 ---> SASLAUTHD --> Global LDAP: 636

1. Password on the SSH session would be encrypted, isn't it?
2. How about when it goes to the local LDAP:389, would it be encrypted?

Thank you.
Fajar.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-15-2012, 10:26 AM
Marc Deop
 
Default LDAP encryption, not sure.

On Wednesday 15 February 2012 08:46:02 Fajar Priyanto wrote:
> Say the case is like this. CompB is set to have LDAP authentication.
> A ---> SSH ---> CompB ---> Local LDAP:389 ---> SASLAUTHD --> Global LDAP: 636
>
> 1. Password on the SSH session would be encrypted, isn't it?
> 2. How about when it goes to the local LDAP:389, would it be encrypted?
>

AFAIK not, it won't be encrypted. However, the only way to read that information would be to already have access to your computer (so you'd be screwed anyway)

Regards
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-15-2012, 10:34 PM
Craig White
 
Default LDAP encryption, not sure.

On Feb 14, 2012, at 5:46 PM, Fajar Priyanto wrote:

> Hi all,
> I'm setting up a local LDAP server with a pass-through authentication
> to another LDAP.
> I'm not clear about the encryption.
>
> Say the case is like this. CompB is set to have LDAP authentication.
> A ---> SSH ---> CompB ---> Local LDAP:389 ---> SASLAUTHD --> Global LDAP: 636
>
> 1. Password on the SSH session would be encrypted, isn't it?
----
ldaps (port 636) would indeed be encrypted but it is deprecated and not typically started by default configurations these days.
----
> 2. How about when it goes to the local LDAP:389, would it be encrypted?
----
depends upon whether TLS is indicated and/or required.

If you require it via an ACL on the LDAP server, then it succeeds only if the connection is made via TLS.

If you require it at the client (TLS_ReqCert demand or hard), then it succeeds only if the connection is made via TLS.

Craig
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-16-2012, 01:20 AM
Fajar Priyanto
 
Default LDAP encryption, not sure.

On Thu, Feb 16, 2012 at 7:34 AM, Craig White <craig.white@ttiltd.com> wrote:
>> Say the case is like this. CompB is set to have LDAP authentication.
>> A ---> SSH ---> CompB ---> Local LDAP:389 ---> SASLAUTHD --> Global LDAP: 636
>>
>> 1. Password on the SSH session would be encrypted, isn't it?
> ----
> ldaps (port 636) would indeed be encrypted but it is deprecated and not typically started by default configurations these days.
> ----
>> 2. How about when it goes to the local LDAP:389, would it be encrypted?
> ----
> depends upon whether TLS is indicated and/or required.
>
> If you require it via an ACL on the LDAP server, then it succeeds only if the connection is made via TLS.
>
> If you require it at the client (TLS_ReqCert demand or hard), then it succeeds only if the connection is made via TLS.

Thanks for the thoughts so far.
When I setup TLS on the local LDAP, somehow the saslauthd fails to
authenticate the password with Global LDAP.
The admin said that the Global LDAP doesn't support TLS, only SSL.

Basic question...
What's the different between TLS and SSL in LDAP? I googled no clue yet.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-16-2012, 03:58 AM
Jay Leafey
 
Default LDAP encryption, not sure.

On 02/15/2012 08:20 PM, Fajar Priyanto wrote:


Basic question...
What's the different between TLS and SSL in LDAP? I googled no clue yet.



A plain-old LDAPS (LDAP over SSL) connection starts off from the very
beginning as an SSL connection on port 636. When using LDAP and TLS,
the initial (unencrypted) connection is made to port 389 and the SSL
connection is negotiated on-the-fly. Logically, the unencrypted
connection is made initially, then the client and server start up an SSL
handshake if both ends support it.


The LDAP-over-SSL (LDAPS) method as been deprecated and the preferred
method is LDAP and TLS. The TLS method is no less secure as the only
thing that goes over the wire unencrypted is the SSL handshake.


Just my $.02
--
Jay Leafey - jay.leafey@mindless.com
Memphis, TN

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:58 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org