Adams Samuel D Contr AFRL/HEDR wrote: > Haha, I know exactly what you mean! My workplace is full of "security > experts" that don't even know what ICMP is. I could send you some > results of some serious "ping vulnerabilities" so we all could get a > good laugh, but I digress. Knowing how to run an ISS or Nessus scan > does not necessarily make you a security expert. Those ping vulnerabilities are the best :-) > Anyway, should I worry about clients using the LDAP to authenticate > without TLS? Do I need to set my directory server such that users can > only authenticate only if they have TLS enabled? As LDAP is easily decodable with e.g. ethereal, passwords can be extracted in plain text. So, yes, I would avoid sending passwords across the network in plain text without transport security. I think that it's easier to configure all of your authentication handlers (PAM, web apps, IMAP server, etc) to use SSL/TLS than it is to try to force the LDAP server to only allow TLS users bind privileges... Configuring PAM to use TLS is really simple. Just put the CA cert in /etc/openldap/cacerts, configure /etc/openldap/ldap.conf, configure pam_ldap /etc/ldap.conf, and you're done. You can write a fairly small shell script to automate the procedure... BR, Mike
