[Fedora-directory-users] Simple Bind only in secured channel
Dael Maselli
Dael.Maselli at lnf.infn.it
Sun Jun 15 11:20:34 UTC 2008
Well... this is terrible!!!
I _need_ also to support GSSAPI auth, and it doesn't work with SSL!
I don't know so much the LDAP protocol, I though the client asks for
capabilities the server when connect, so if is possible do hide the simple
bind capability in clear channel the clients doesn't try simple bind. No?
Please, give me a hint, my institution is going to migrate all Authentication
and Authorization to a system based on FDS and MIT Kerberos. This would be
a very blocking issue.
Dael.
Michael Ströder, on 15/06/2008 13.03, wrote:
> Dael Maselli wrote:
>> I'm going to explain it better.
>>
>> I don't' want a user enter his credential in an unsecured channel.
>> First I thought to close 389 and allow only 636, but ldaps is now
>> deprecated
>
> Well, most LDAP client software I know of support LDAP over
> pre-established SSL/TLS tunnel (often called LDAPS). StartTLS is often
> not supported by client software.
>
>> and so I need to allow also 389, but if the user do simple
>> bind before STARTTLS then credentials will be exposed.
>
> That's the serious drawback of StartTLS ext. op.
>
>> I want something like Sendmail does: no clear text auth is allowed
>> unless the connection is SSL or STARTTLS based.
>
> Not possible. Even if your server rejects the bind request the
> clear-text password is already sent over the wire.
>
> Simply keep using LDAPS.
>
> Ciao, Michael.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
___________________________________________________________________
Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214
___________________________________________________________________
Democracy is two wolves and a lamb voting on what to have for lunch
___________________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3000 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080615/96a3f105/attachment.bin>
More information about the Fedora-directory-users
mailing list