- Page 344

10-06-2010, 06:50 PM

On Wed, Oct 06, 2010 at 06:35:14PM +0200, Mathieu Baudier wrote:

>
> IMHO, the comments in /etc/ldap.conf could be a bit more explicit on
> the 'on' value:

IMNSHO most docmentation on LDAP is laughable, and perhaps one of the
main reasons Active Directory has become so much more popular. Say what
you want about MS, but it does seem to me, that at least on the syadmin
and user side that their documentation is usually quite good, at least
since Windows 2000.

RH in particular has some really poor docs--as mentioned earlier, they
didn't feel it necessary to mention that they'd broken SSL and
TLS.

As the authors of the excellent ldap for rocket scientists page say.

"The bad news is that IOHO never has so much been written so
incomprehensibly about a single topic with the possible exceptions of
BIND."

(That page is at http://www.zytrax.com/books/ldap/)

Might as well spam my own page while at it.

http://home.roadrunner.com/~computertaijutsu/ldap.html

Grouchily yours (and REALLY sick of the low quality of so much Linux
documentation)

--
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Gunn: Fair Cordelia. You still savin' my life?
Cordelia: Every minute.
Gunn: How's that workin' out?
Cordelia: You're alive aren't you?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

10-06-2010, 07:00 PM

Scott Robbins wrote:
> On Wed, Oct 06, 2010 at 06:35:14PM +0200, Mathieu Baudier wrote:
>>
>> IMHO, the comments in /etc/ldap.conf could be a bit more explicit on
>> the 'on' value:
>
> IMNSHO most docmentation on LDAP is laughable, and perhaps one of the
> main reasons Active Directory has become so much more popular. Say what
> you want about MS, but it does seem to me, that at least on the syadmin
> and user side that their documentation is usually quite good, at least
> since Windows 2000.
<snip>
> As the authors of the excellent ldap for rocket scientists page say.
>
> "The bad news is that IOHO never has so much been written so
> incomprehensibly about a single topic with the possible exceptions of
> BIND."
>
> (That page is at http://www.zytrax.com/books/ldap/)
<snip>
Well, that's simply *not* true... says the guy who, 20-30 years ago, had
to read IBM mainframe manuals....

mark "this postfix left blank"

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

10-06-2010, 07:47 PM

> Are you aware that SSL on port 636 is now considered deprecated in favor of
> START_TLS on port 389?

No, I'm not (I actually thought that it was the other way round)

I found it practical to have a port (389 or equivalent) that I could
authorize via iptables only on the local network., and another one
(636 or equivalent) that could be accessed from outside.

What are the pro and cons of both approaches?

Comments more than welcome!
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

10-06-2010, 09:27 PM

>> Are you aware that SSL on port 636 is now considered deprecated in favor of
>> START_TLS on port 389?
> No, I'm not (I actually thought that it was the other way round)
>
> (...)
>
> What are the pro and cons of both approaches?
>
> Comments more than welcome

You can, as an example, consult the Wikipedia article on LDAP. It states:

---------------------------------------------------

StartTLS

The StartTLS operation establishes Transport Layer Security (the
descendant of SSL) on the connection. It can provide data
confidentiality (to protect data from being observed by third parties)
and/or data integrity protection (which protects the data from
tampering). During TLS negotiation the server sends its X.509
certificate to prove its identity. The client may also send a
certificate to prove its identity. After doing so, the client may then
use SASL/EXTERNAL. By using the SASL/EXTERNAL, the client requests the
server derive its identity from credentials provided at a lower level
(such as TLS). Though technically the server may use any identity
information established at any lower level, typically the server will
use the identity information established by TLS.

Servers also often support the non-standard "LDAPS" ("Secure LDAP",
commonly known as "LDAP over SSL") protocol on a separate port, by
default 636. LDAPS differs from LDAP in two ways: 1) upon connect, the
client and server establish TLS before any LDAP messages are transferred
(without a StartTLS operation) and 2) the LDAPS connection must be
closed upon TLS closure.

LDAPS was used with LDAPv2, because the StartTLS operation had not yet
been defined. The use of LDAPS is deprecated, and modern software should
only use StartTLS .

http://en.wikipedia.org/wiki/LDAP

---------------------------------------------------

A quick search will provide plenty of articles about the subject.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

10-07-2010, 06:59 AM

> A quick search will provide plenty of articles about the subject.

Thanks, I had actually thought of using a search engine (as somebody
put it, part of the fun with configuring OpenLDAP is that you
definitely have to).

What I cannot find (yet) is whether there is a way to require StartTLS
only for external connections and allow it plain on the local network?

The reason why I (think I) need both is that many third party apps on
the server (PHP applications typically) do not easily manage StartTLS.
Meanwhile, having two different ports make it easier to manage via iptables.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

10-07-2010, 07:20 AM

Hello

****** Please I*want help in centos server I can ping the gateway or my eth1 ip address but i cant browse from

my server could you help me with the codes the codes that will enable network cause i've already configure

my iptables and it's showing me that everything is ok. Please help

Thank you.
*

> Date: Wed, 6 Oct 2010 22:27:08 +0100
> From: miguelmedalha@sapo.pt
> To: mbaudier@argeo.org
> CC: centos@centos.org
> Subject: Re: [CentOS] LDAP authentication on a remote server (via ldaps://) [SOLVED]
>
>
> >> Are you aware that SSL on port 636 is now considered deprecated in favor of
> >> START_TLS on port 389?
> > No, I'm not (I actually thought that it was the other way round)
> >
> > (...)
> >
> > What are the pro and cons of both approaches?
> >
> > Comments more than welcome
>
> You can, as an example, consult the Wikipedia article on LDAP. It states:
>
> ---------------------------------------------------
>
> StartTLS
>
> The StartTLS operation establishes Transport Layer Security (the
> descendant of SSL) on the connection. It can provide data
> confidentiality (to protect data from being observed by third parties)
> and/or data integrity protection (which protects the data from
> tampering). During TLS negotiation the server sends its X.509
> certificate to prove its identity. The client may also send a
> certificate to prove its identity. After doing so, the client may then
> use SASL/EXTERNAL. By using the SASL/EXTERNAL, the client requests the
> server derive its identity from credentials provided at a lower level
> (such as TLS). Though technically the server may use any identity
> information established at any lower level, typically the server will
> use the identity information established by TLS.
>
> Servers also often support the non-standard "LDAPS" ("Secure LDAP",
> commonly known as "LDAP over SSL") protocol on a separate port, by
> default 636. LDAPS differs from LDAP in two ways: 1) upon connect, the
> client and server establish TLS before any LDAP messages are transferred
> (without a StartTLS operation) and 2) the LDAPS connection must be
> closed upon TLS closure.
>
> LDAPS was used with LDAPv2, because the StartTLS operation had not yet
> been defined. The use of LDAPS is deprecated, and modern software should
> only use StartTLS .
>
> http://en.wikipedia.org/wiki/LDAP
>
> ---------------------------------------------------
>
> A quick search will provide plenty of articles about the subject.
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

10-07-2010, 09:43 AM

> The reason why I (think I) need both is that many third party apps on
> the server (PHP applications typically) do not easily manage StartTLS.
> Meanwhile, having two different ports make it easier to manage via iptables.
>

You can also use StartTLS over the network and LDAPI (connection over
Unix sockets, which are inherently secure) for apps running on the
server. I use it, both with OpenLDAP and 389 Directory Server (a.k.a.
Fedora DS, Red Hat DS).

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

10-07-2010, 11:40 AM

> You can also use StartTLS over the network and LDAPI (connection over Unix
> sockets, which are inherently secure) for apps running on the server. I use
> it, both with OpenLDAP and 389 Directory Server (a.k.a. Fedora DS, Red Hat
> DS).

Unfortunately, I have a whole LAN whose user/group/auth management is
centralized with LDAP (each server having different apps).
So I need plain LDAP access on the LAN.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

10-07-2010, 12:53 PM

http://www.christos.ro/mas5.html
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

10-07-2010, 01:13 PM

How did this despicable character get through on a moderated list?
Maybe the moderator can and should write to gmail alerting them to this
spammer so that his account can be withdrawn.

Ranjan

On Thu, 7 Oct 2010 07:53:52 -0500 ravinder nath rajotiya
<ravinder.rajotiya@gmail.com> wrote:

> http://www.christos.ro/mas5.html
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
>
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines