LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 05-28-2008, 07:19 AM   #1
one71
LQ Newbie
 
Registered: May 2008
Posts: 6

Rep: Reputation: 0
LDAP with "Start TLS" vs SSL


Hallo,

I have configured successfully the following servers:
  • Server: OpenLDAP unencrypted ldap port 389
    • Client: LDAP Browser/ldapsearch
    • Client: Apache Server
    • Client: ProFTP Server
  • Server: OpenLDAP encrypted with "true" SSL ldaps port 636
    • Client: LDAP Browser/ldapsearch
    • Client: Apache Server
    • Client: ProFTP Server (does not work)

I would like to try to configure the OpenLDAP server with encryption with Start TLS instead SSL (to see if it is better compatible with ProFTP).

The problem is hat I do not find any real hints in internet on how to do it.
Everyone says SSL is old StartTLS is preferred but no one spends a word saying how to?

I mean suppose you start with a non encrypted OpenLDAP server. I would like that someone tells me step by step which are the configuration steps & the differences between bringing the server to work with SSL and with Start TLS. And more which is the difference in the use seen from the side of a client (apache or ProFTP).

Please Help.

Thanks.
 
Old 05-28-2008, 02:16 PM   #2
SonJelfn
Member
 
Registered: Aug 2003
Location: Sendai, Japan
Distribution: Slackware, Slackware64, Debian
Posts: 63

Rep: Reputation: 16
Hello,

if you currently have SSL operation working on your OpenLDAP server, it means you also have StartTLS capability operating. What you have to do is make sure your clients understand how to start a StartTLS operation.

Most of the time the configuration of these clients require that you tell it which is the accepted server public certificate (probably copying it to the local client machine) which should be somewhere on your server.

There really is very little difference in a StartTLS operation from a plain SSL operation on LDAP. The comfort of the thing is that you only have one port (389) listening for connections.

Hope that helps.

Good luck.
 
Old 06-03-2008, 03:44 AM   #3
one71
LQ Newbie
 
Registered: May 2008
Posts: 6

Original Poster
Rep: Reputation: 0
Hello,

still I am confused.

In the moment that I configure LDAP (OpenLDAP) to use SSL have I simultaneously activated even StartTLS? Is it so? I do not need ANYTHING else?
This means that given that both ldap and ldaps are started depending on how I configure the client I can access the LDAP server as
  • not encrypted on port 389 as ldap
  • encrypted on port 389 as ldap
  • encrypted on port 636 as ldaps

without changing anything on the server configuration!

If this is true I put the trust in the hand of the client configuration guy weather the communication will happen in a secure or insecure way, or am I wrong?
I mean say I want to force, from the server side, that the communication is encrypted. I do not see a way: to have StartTLS I need the port 389 open and ldap running (with SSL I could have only ldaps running and only port 636 open: in this way I have for sure blocked un-encrypted ldap connections).

Anyway say I want to use StartTLS. How to configure the client to use it?
I take very concrete applications as examples

Thanks a lot.
 
Old 06-03-2008, 08:34 AM   #4
SonJelfn
Member
 
Registered: Aug 2003
Location: Sendai, Japan
Distribution: Slackware, Slackware64, Debian
Posts: 63

Rep: Reputation: 16
Hello,

the answer is not exactly. What I'm saying is that if you have SSL support in slapd.conf you can have a server operating on SSL, in other words a ldaps on port 636, or a normal ldap on port 389 with StartTLS operation enabled, or both.

What server runs on your machine is controlled by the slapd binary with the -h option. For example:

Code:
slapd -h ldap:// ldaps://
If your slapd.conf has SSL options loaded, this will launch a StartTLS capable daemon on port 389 (which is also capable of unencrypted communication) and a SSL only daemon on port 636.

Under StartTLS you are leaving the security of the system to the clients because the ldap:// is capable of unencrypted communication. If you require SSL only connections and have no direct control of user applications, load slapd with only the SSL capable daemon like so:

Code:
slapd -h ldaps://
I haven't tried ldap connections with any of the programs you wish to use, so I can't really say anything worth while. If I have the time I'll look into it.

For now, I hope this helps.

Good luck.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
fdisk reports odd "Start "and "End" sectors on single partition eponymous Linux - Software 3 10-01-2007 04:41 PM
"Server certificate not installed" - obscure TLS issue (fix) gracecourt Linux - Security 1 05-30-2007 05:09 PM
Ldap replication using TLS/SSL jitender.rajpal Linux - Networking 0 10-18-2006 08:59 AM
How to start KDE automaticlly without typing "startx" then "startkde" Jonescity Slackware 8 10-29-2004 10:32 PM
LDAP object classes: cn=admin, why "simpleSecurityObject" and "organizationalRole&quo Hko Linux - Networking 0 08-06-2004 08:55 AM


All times are GMT -5. The time now is 04:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration