Securing LDAP information on the network
On Mon, 2009-12-14 at 15:01 +0100, Kenneth Holter wrote:
> Hi all.
> We'd like to make sure that the LDAP data on our network is encrypted,
> at least the data that contains sensitive information. We've set up
> TLS between on these communication links:
> * LDAP client <-> LDAP server (using StartTLS)
> * LDAP master <-> LDAP slave
> * Web browser <-> Admin server web console (i.e. https)
> We have a pretty default installation of the directory server (which
> btw is Red Hat Directory Server v8.1.0). To my best knowledge, these
> links above should cover all relevant trafikk on the network, since
> the directory server, admins server and the console are all located on
> the same physical server. Does anyone agree or disagree?
> Btw, if anyone knows of any nice diagrams that shows the different
> data links (i.e information flow) between the directory server
> components (such as admins server, console, main console, directory
> server, and so forth) please do post a link to this.
That's what we've done although we also use LDAPS in some cases. We
have not yet played with disabling unencrypted traffic. If someone does
not request StartTLS or LDAPS, we do respond with unencrypted traffic.
We've also ensured that backups of the database are both sent and stored
encrypted - John
John A. Sullivan III
Open Source Development Corporation
Making Christianity intelligible to secular society
389 users mailing list