[Fedora-directory-users] TLS authentication
Mike Jackson
mj at sci.fi
Tue Aug 8 20:25:58 UTC 2006
Adams Samuel D Contr AFRL/HEDR wrote:
> Haha, I know exactly what you mean! My workplace is full of "security
> experts" that don't even know what ICMP is. I could send you some
> results of some serious "ping vulnerabilities" so we all could get a
> good laugh, but I digress. Knowing how to run an ISS or Nessus scan
> does not necessarily make you a security expert.
Those ping vulnerabilities are the best :-)
> Anyway, should I worry about clients using the LDAP to authenticate
> without TLS? Do I need to set my directory server such that users can
> only authenticate only if they have TLS enabled?
As LDAP is easily decodable with e.g. ethereal, passwords can be
extracted in plain text. So, yes, I would avoid sending passwords across
the network in plain text without transport security.
I think that it's easier to configure all of your authentication
handlers (PAM, web apps, IMAP server, etc) to use SSL/TLS than it is to
try to force the LDAP server to only allow TLS users bind privileges...
Configuring PAM to use TLS is really simple. Just put the CA cert in
/etc/openldap/cacerts, configure /etc/openldap/ldap.conf, configure
pam_ldap /etc/ldap.conf, and you're done. You can write a fairly small
shell script to automate the procedure...
BR,
Mike
More information about the 389-users
mailing list