Adams Samuel D Contr AFRL/HEDR wrote:
Haha, I know exactly what you mean! My workplace is full of "security
experts" that don't even know what ICMP is. I could send you some
results of some serious "ping vulnerabilities" so we all could get a
good laugh, but I digress. Knowing how to run an ISS or Nessus scan
does not necessarily make you a security expert.
Those ping vulnerabilities are the best :-)
Anyway, should I worry about clients using the LDAP to authenticate
without TLS? Do I need to set my directory server such that users can
only authenticate only if they have TLS enabled?
As LDAP is easily decodable with e.g. ethereal, passwords can be
extracted in plain text. So, yes, I would avoid sending passwords across
the network in plain text without transport security.
I think that it's easier to configure all of your authentication
handlers (PAM, web apps, IMAP server, etc) to use SSL/TLS than it is to
try to force the LDAP server to only allow TLS users bind privileges...
Configuring PAM to use TLS is really simple. Just put the CA cert in
/etc/openldap/cacerts, configure /etc/openldap/ldap.conf, configure
pam_ldap /etc/ldap.conf, and you're done. You can write a fairly small
shell script to automate the procedure...
BR,
Mike
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
