[Freeipa-devel] LDAP TLS issues
Rob Crittenden
rcritten at redhat.com
Fri Nov 9 22:13:07 UTC 2007
John Dennis wrote:
> I need to set up attribute encryption for some of the radius data in the
> directory server. Attribute encryption only works if the connection is
> secure. So I tried to enable TLS in the radius LDAP module, but I'm
> having problems, perhaps someone could shed some light...
>
> 1) ldap_start_tls() it's failing because the certificate is self signed.
> I believe this can be fixed in one of two ways
>
> a) add the certificate the ds instance was signed with to the CA used by
> the client, but where is that certificate?
>
> b) configure ldap to accept self signed certificates via
> ldap_int_tls_config(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, "allow");
>
> That works, but overriding certificate verification seems like a bad idea.
You can import the cert from /usr/share/ipa/cacert.asc
> 2) If TLS is enabled then the GSSAPI SASL bind fails. Is GSSAPI SASL
> incompatible with TLS? Or is there a specific sequence when using the
> two together which has to be followed?
>
> 3) The DS Admin guide says you can also use GSSAPI for secure transport
> if you're using SASL. Well, I'm doing a GSSAPI SASL bind, does that mean
> I'm getting a secure transport in the process or do I have to enable
> that and if so how?
IIRC you can't do GSSAPI over SSL with FDS. But the link is encrypted by
the SASL connection anyway so it isn't in the clear. I tested this the
hard way by using ssltap as a proxy between my client and the ldap
server. Thank goodness for 'reset' :-)
If SSL is an absolute requirement then perhaps we can do something with
client authentication. The problem is tha the more certs we issue the
more we need to keep track of when expiration time rolls around. Not a
huge problem but just another thing to remember to do.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071109/6bd8a9f4/attachment.bin>
More information about the Freeipa-devel
mailing list