TLS authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Adams Samuel D Contr AFRL/HEDR wrote:
> Haha, I know exactly what you mean!  My workplace is full of "security
> experts" that don't even know what ICMP is.  I could send you some
> results of some serious "ping vulnerabilities" so we all could get a
> good laugh, but I digress.  Knowing how to run an ISS or Nessus scan
> does not necessarily make you a security expert.

Those ping vulnerabilities are the best :-)


> Anyway, should I worry about clients using the LDAP to authenticate
> without TLS?  Do I need to set my directory server such that users can
> only authenticate only if they have TLS enabled?  

As LDAP is easily decodable with e.g. ethereal, passwords can be 
extracted in plain text. So, yes, I would avoid sending passwords across 
the network in plain text without transport security.

I think that it's easier to configure all of your authentication 
handlers (PAM, web apps,  IMAP server, etc) to use SSL/TLS than it is to 
try to force the LDAP server to only allow TLS users bind privileges...

Configuring PAM to use TLS is really simple. Just put the CA cert in 
/etc/openldap/cacerts, configure /etc/openldap/ldap.conf, configure 
pam_ldap /etc/ldap.conf, and you're done. You can write a fairly small 
shell script to automate the procedure...

BR,
Mike




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux