Predrag Punosevac wrote:
> I am trying to get my head wrapped around securing LDAP so please
> forgive me this n00b questions. My final goal is to replace our current
> NFS+NIS with NFS+LDAP+[Kerberos] set up.
>
> I see by default OpenLDAP clients are authenticating via SASL. I also
> see the Kerberos can be used with SASL.
>
> Could somebody point me to a document describing pros and cons of
> Kerberazing SASL on "secure" network? As described in an earlier e-mail
> I opted for OpenBSD stack LDAP server and I would use stack Kerberos
> server.
>
> Thanks,
> Predrag
After many hours of reading ldapd and ldapd.conf man pages as well as
OpenLDAP documentation I see that above question doesn't make any sense.
I was wondering if somebody could confirm some of the conclusions I came
up with.
1. The security of LDAP consist of two unrelated parts:
a. security of authentication
b. security of data transfer between LDAP database and clients
2. From ldapd man pages I see that ldapd can authenticate users via
simple binds or SASL with the PLAIN mechanism. It looks to me that
simple bind {SSHA}digest is the safest way to authenticate users as
ldapd only supports SASL with PLAIN mechanism. Long story short it looks
like Kerberos is not even an option if I go with built in ldapd. I
would have to use slapd to be able to use Kerberos.
3. Security of data transfer between LDAP server/database and clients is
best achieved using starttls option in ldapd.conf. This requires
creating certificates at least for the server preferably for clients
too. As a matter of fact I have been able easily to create certificates
using easy-rsa tool instead of more raw openssl vanilla procedure
described in starttls man pages and preform ldapsearch with --ZZ option.
Most Kind Regards,
Predrag
