LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-14-2008, 01:15 AM   #1
kenneho
Member
 
Registered: May 2003
Location: Oslo, Norway
Distribution: Ubuntu, Red Hat Enterprise Linux
Posts: 655

Rep: Reputation: 40
Verifying that TLS is used when contacting LDAP server


Hi.


I've set up our LDAP server and clients to use TLS. But how can I verify that the client in fact is using TLS when contacting the LDAP server?

I know that the LDAP server speaks "plain" LDAP on port 389, while speaking LDAPS on port 636. To check if the LDAP client talked on port 389 I blocked this port on the server, which caused the connection to fail. This may indicate that the client talk to this port, but I'm not sure if this is normal behavior even when it's supposed to use TLS.

Any thoughts anyone?
 
Old 05-14-2008, 03:28 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
With an ssl / tls connection port 389 will never be used.
 
Old 05-14-2008, 03:47 AM   #3
kenneho
Member
 
Registered: May 2003
Location: Oslo, Norway
Distribution: Ubuntu, Red Hat Enterprise Linux
Posts: 655

Original Poster
Rep: Reputation: 40
Quote:
Originally Posted by acid_kewpie View Post
With an ssl / tls connection port 389 will never be used.
That's what I thought also, but then there's "Start TLS" which can initate TLS on "insecure" ports. Can it be that the client issues a "Start TLS" on 389 instead of using port 636?
 
Old 05-14-2008, 04:13 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
you know what... I stand partially corrected - you should actually prefer startTLS over ldaps by all accounts... http://www.openldap.org/faq/data/cache/605.html

so if it is over 389 you can use tcpdump / wireshark to see the data and watch for the tls session negotiation. should also be present in the ldap logs though.
 
Old 05-14-2008, 08:23 AM   #5
kenneho
Member
 
Registered: May 2003
Location: Oslo, Norway
Distribution: Ubuntu, Red Hat Enterprise Linux
Posts: 655

Original Poster
Rep: Reputation: 40
Quote:
Originally Posted by acid_kewpie View Post
you know what... I stand partially corrected - you should actually prefer startTLS over ldaps by all accounts... http://www.openldap.org/faq/data/cache/605.html

so if it is over 389 you can use tcpdump / wireshark to see the data and watch for the tls session negotiation. should also be present in the ldap logs though.

I've analyzed the LDAP access log, and it looks like the client connects to port 389 using Start TLS. It would be nice to confirm this by dumping the network traffic, though. I guess wireshark can be used for such, but I would like to use any native Red Hat tools if any. Do you know of some such tools?
 
Old 05-14-2008, 08:28 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
not to pull apart IP traffic to that extent, no, there's nothing, and really not supposed to be... tcpdump may show you enough data, you should be able to read unencrypted data, so if you dump the raw data and it's readable...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP connection problems after enabling TLS kenneho Linux - Software 3 05-13-2008 06:04 AM
TLS in phpLDAPadmin can not connect to LDAP server. nui Linux - Software 0 12-28-2006 08:22 PM
Ldap replication using TLS/SSL jitender.rajpal Linux - Networking 0 10-18-2006 07:59 AM
password change over LDAP works only if TLS is disabled cyrilrip Linux - General 2 06-02-2005 01:26 AM
LDAP TLS lockups blueplazma Linux - Software 2 04-23-2005 01:48 PM


All times are GMT -5. The time now is 09:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration