Simple Bind only in secured channel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Well... this is terrible!!!

I _need_ also to support GSSAPI auth, and it doesn't work with SSL!

I don't know so much the LDAP protocol, I though the client asks for
capabilities the server when connect, so if is possible do hide the simple
bind capability in clear channel the clients doesn't try simple bind. No?

Please, give me a hint, my institution is going to migrate all Authentication
and Authorization to a system based on FDS and MIT Kerberos. This would be
a very blocking issue.

Dael.


Michael Str?der, on 15/06/2008 13.03, wrote:
> Dael Maselli wrote:
>> I'm going to explain it better.
>>
>> I don't' want a user enter his credential in an unsecured channel.
>> First I thought to close 389 and allow only 636, but ldaps is now
>> deprecated
> 
> Well, most LDAP client software I know of support LDAP over 
> pre-established SSL/TLS tunnel (often called LDAPS). StartTLS is often 
> not supported by client software.
> 
>> and so I need to allow also 389, but if the user do simple
>> bind before STARTTLS then credentials will be exposed.
> 
> That's the serious drawback of StartTLS ext. op.
> 
>> I want something like Sendmail does: no clear text auth is allowed
>> unless the connection is SSL or STARTTLS based.
> 
> Not possible. Even if your server rejects the bind request the 
> clear-text password is already sent over the wire.
> 
> Simply keep using LDAPS.
> 
> Ciao, Michael.
> 
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-- 
___________________________________________________________________

Dael Maselli  ---  INFN-LNF Computing Service  --  +39.06.9403.2214
___________________________________________________________________

Democracy is two wolves and a lamb voting on what to have for lunch
___________________________________________________________________

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3000 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080615/96a3f105/attachment.bin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux