You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by bu...@apache.org on 2017/01/24 13:03:34 UTC

svn commit: r1005487 - in /websites/staging/directory/trunk/content: ./ api/user-guide/5-ldap-security.html api/user-guide/5.1-ldaps.html

Author: buildbot
Date: Tue Jan 24 13:03:33 2017
New Revision: 1005487

Log:
Staging update by buildbot for directory

Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/api/user-guide/5-ldap-security.html
    websites/staging/directory/trunk/content/api/user-guide/5.1-ldaps.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Jan 24 13:03:33 2017
@@ -1 +1 @@
-1778729
+1780072

Modified: websites/staging/directory/trunk/content/api/user-guide/5-ldap-security.html
==============================================================================
--- websites/staging/directory/trunk/content/api/user-guide/5-ldap-security.html (original)
+++ websites/staging/directory/trunk/content/api/user-guide/5-ldap-security.html Tue Jan 24 13:03:33 2017
@@ -185,10 +185,7 @@
 h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style>
 <h1 id="5-ldap-security">5 - LDAP Security<a class="headerlink" href="#5-ldap-security" title="Permanent link">&para;</a></h1>
 <p><strong>LDAP</strong> databases store critical information that must be kept secure.  The <strong>Apache LDAP API</strong> can access the data securely while in flight but can't protect it while at rest -- that's for the database system itself to do.</p>
-<p>Generally speaking when it comes to securing a system, we are addressing the three <strong>A</strong>s:
-<em> Authentication
-</em> Authorization
-* Auditing</p>
+<p>Generally speaking when it comes to securing a system, we are addressing the three <strong>A</strong>s: Authentication, Authorization and Auditing.</p>
 <p>The only aspect we will focus on is the <strong>Authentication</strong> part, because the <strong>LDAP</strong> protocol does not address the other two, when it comes to an <strong>API</strong>. We will talk about authorization a little bit in the last chapter.</p>
 <p>Another aspect of security is encryption:
 - securing the communication between the client and the server

Modified: websites/staging/directory/trunk/content/api/user-guide/5.1-ldaps.html
==============================================================================
--- websites/staging/directory/trunk/content/api/user-guide/5.1-ldaps.html (original)
+++ websites/staging/directory/trunk/content/api/user-guide/5.1-ldaps.html Tue Jan 24 13:03:33 2017
@@ -187,10 +187,10 @@ h2:hover > .headerlink, h3:hover > .head
 <p><strong>LDAP</strong> supports <strong>SSL</strong>, it's called <strong>LDAPS</strong>, and it uses a dedicated port. As of today, and since 2000, <strong>LDAPS</strong> is deprecated and <strong>StartTLS</strong> should be used.</p>
 <p>That being said, many servers accept <strong>LDAPS</strong>, and the <strong>Apache LDAP API</strong> supports it.</p>
 <h2 id="how-does-it-work">How does it work ?<a class="headerlink" href="#how-does-it-work" title="Permanent link">&para;</a></h2>
-<p>The <strong>SSL</strong> protocol ensures that data are transmitted encrypted, and guarantees that the data being received are valid. Nobody can capture those data and read them, assuming the ciphers being used are strong enough.</p>
-<p>With <strong>SSL</strong>, a dialog between the client and the server occurs, and when both part agree on the cipher to use, then all subsequent data is encrypted. This dialog may include a mutual validation. </p>
+<p>The <strong>SSL</strong> protocol ensures that data is transmitted encrypted, and guarantees that the data received is valid. Noone can capture this data and read it, assuming the ciphers used are of sufficient strength.</p>
+<p>With <strong>SSL</strong>, a dialog between the client and the server occurs, and when both agree on the particular cipher to use, then all subsequent data is encrypted. This dialog may include a mutual validation of their X.509 certificates. </p>
 <h2 id="protocols">Protocols<a class="headerlink" href="#protocols" title="Permanent link">&para;</a></h2>
-<p>There are many version that can be used, but the idea is to use tha most recent one, if the server supports it. In any case, as we depend on <strong>Java</strong>, we are also limited by the supported version on the client side. Here are all the existing version, and their status :</p>
+<p>There are many version that can be used, but the idea is to use the most recent one, if the server supports it. In any case, as we depend on <strong>Java</strong>, we are also limited by the supported version on the client side. Here are all of the existing versions, and their statuses:</p>
 <table class="table">
 <thead>
 <tr>
@@ -239,11 +239,11 @@ h2:hover > .headerlink, h3:hover > .head
 </tr>
 </tbody>
 </table>
-<p>(<em>Disabled</em> mean it's not active by default, and must be activated explicitely).</p>
-<p>The default is for Java to pick the one that fits, assuming that it will always start with the newest version (<strong>TLSv1.2</strong>).</p>
-<p>Still, you can enforce the version if needed.</p>
+<p>(<em>Disabled</em> means it's not active by default, and so must be activated explicitly).</p>
+<p>The default is Java will choose the best fit, assuming that it always starts with the newest version (<strong>TLSv1.2</strong>).</p>
+<p>Still, you can enforce the version used -- if needed.</p>
 <h2 id="a-quick-primer">A quick primer<a class="headerlink" href="#a-quick-primer" title="Permanent link">&para;</a></h2>
-<p>Here is all what you need to get a <strong>LDAPS</strong> connection established with a server :</p>
+<p>Here is all that is needed to get <strong>LDAPS</strong> connections established with a server :</p>
 <div class="codehilite"><pre>    <span class="k">try</span> <span class="p">(</span> <span class="n">LdapConnection</span> <span class="n">connection</span> <span class="p">=</span> <span class="n">new</span> <span class="n">LdapNetworkConnection</span><span class="p">(</span> &quot;<span class="n">server</span><span class="o">-</span><span class="n">name</span>&quot;<span class="p">,</span> 636<span class="p">,</span> <span class="n">true</span> <span class="p">)</span> <span class="p">)</span>
     <span class="p">{</span>
         <span class="n">connection</span><span class="p">.</span><span class="n">bind</span><span class="p">(</span> &quot;<span class="n">uid</span><span class="p">=</span><span class="n">admin</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot;<span class="p">,</span> &quot;<span class="n">secret</span>&quot; <span class="p">);</span>
@@ -253,8 +253,8 @@ h2:hover > .headerlink, h3:hover > .head
 </pre></div>
 
 
-<p>This is as simple as that ! The <strong>636* port is the default </strong>LDAPS<strong> port for standard </strong>LDAP<strong> servers, when running as </strong>root<strong>, and for </strong>ApacheDS<strong> you will have to pick </strong>10636<strong>. The </strong>true** flag is set to secure the connection. You don't need to close the connection, it will be done automatically when exiting the try{...} block.</p>
-<p>By default, the selected protocol is <strong>TLS</strong>, and we wont verify the server's certificate.</p>
+<p>It's as simple as that! The <strong>636</strong> port is the default <strong>LDAPS</strong> port for standard <strong>LDAP</strong> servers, when running as <strong>root</strong>, and for <strong>ApacheDS</strong> you must pick <strong>10636</strong>. The <strong>true</strong> flag is set to secure the connection. You don't need to close the connection, it will be done automatically upon exiting the try{...} block.</p>
+<p>By default, the selected protocol is <strong>TLS</strong>, and the server's certificate is not verified.</p>
 <h2 id="a-more-sophisticated-sample">A more sophisticated sample<a class="headerlink" href="#a-more-sophisticated-sample" title="Permanent link">&para;</a></h2>
 <p>It's possible to have more control on the <strong>SSL</strong> configuration, and specifically to provide a specific <strong>TrustManager</strong> :</p>
 <div class="codehilite"><pre>    <span class="k">try</span> <span class="p">(</span> <span class="n">LdapConnection</span> <span class="n">connection</span> <span class="p">=</span> <span class="n">new</span> <span class="n">LdapNetworkConnection</span><span class="p">(</span> <span class="n">Network</span><span class="p">.</span><span class="n">LOOPBACK_HOSTNAME</span><span class="p">,</span> <span class="n">getLdapServer</span><span class="p">().</span><span class="n">getPortSSL</span><span class="p">(),</span> 
@@ -268,18 +268,18 @@ h2:hover > .headerlink, h3:hover > .head
 </pre></div>
 
 
-<p>Here, we use the <em>NoVerificationTrustManager</em> class, but you can define your own implementation. The <strong>Fortress</strong> project is using <a href="https://github.com/apache/directory-fortress-core/blob/master/src/main/java/org/apache/directory/fortress/core/ldap/LdapClientTrustStoreManager.java">this class</a>.</p>
+<p>Here, we use the <em>NoVerificationTrustManager</em> class, but you may define your own implementation of it. The <strong>Fortress</strong> project uses <a href="https://github.com/apache/directory-fortress-core/blob/master/src/main/java/org/apache/directory/fortress/core/ldap/LdapClientTrustStoreManager.java">this class</a>.</p>
 <h2 id="using-a-configuration">Using a configuration<a class="headerlink" href="#using-a-configuration" title="Permanent link">&para;</a></h2>
-<p>One step further : you can define a dediated configuration that is passed to the constructor. Many parameters can be defined :</p>
+<p>One step further : you can define a dedicated configuration that is passed to the constructor. Many parameters can be defined:</p>
 <ul>
-<li>the enabled cipher suites : a list of ciphers that may be used (like "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", etc)</li>
-<li>the enabled protocols : a list of protocals that may be used ( "SSLv3", "TLS", "TLSv1", "TLSv1.1", "TLSv1.2")</li>
+<li>the enabled cipher suites: a list of ciphers that may be used (like "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", etc)</li>
+<li>the enabled protocols: a list of protocals that may be used ( "SSLv3", "TLS", "TLSv1", "TLSv1.1", "TLSv1.2")</li>
 <li>the KeyManager instances</li>
 <li>the SecureRandom instance</li>
-<li>the SSL protocol to use : one of the enabled protocols</li>
+<li>the SSL protocol to use: one of the enabled protocols</li>
 <li>the TrustManager instances</li>
 </ul>
-<p>All those parameters are configured using the <em>LdapConnectionConfig</em> class :</p>
+<p>All these parameters are configured using the <em>LdapConnectionConfig</em> class :</p>
 <div class="codehilite"><pre>    <span class="n">LdapConnectionConfig</span> <span class="n">sslConfig</span> <span class="p">=</span> <span class="n">new</span> <span class="n">LdapConnectionConfig</span><span class="p">();</span>
     <span class="n">sslConfig</span><span class="p">.</span><span class="n">setLdapHost</span><span class="p">(</span> <span class="n">Network</span><span class="p">.</span><span class="n">LOOPBACK_HOSTNAME</span> <span class="p">);</span>
     <span class="n">sslConfig</span><span class="p">.</span><span class="n">setUseSsl</span><span class="p">(</span> <span class="n">true</span> <span class="p">);</span>
@@ -297,12 +297,12 @@ h2:hover > .headerlink, h3:hover > .head
 
 
 <h2 id="ldaps-or-starttls">LDAPS or startTLS ?<a class="headerlink" href="#ldaps-or-starttls" title="Permanent link">&para;</a></h2>
-<p>The important point to understand with <strong>LDAPS</strong> is that every request being exchanged between the client and the server will be encrypted, because the underlying transport is encrypted. That means you can't start communicating with the LDAP server before the connection is secured.</p>
-<p>It has a few drawbacks :
+<p>The important point to understand with <strong>LDAPS</strong> is that every request being exchanged between the client and the server is encrypted, because its underlying transport is encrypted. That means you can't start communicating with the LDAP server before the connection is secured.</p>
+<p>It has a few drawbacks:
 - first of all, it has an added CPU cost, as everything has to be encrypted and decrypted.
 - second, it requires a dedicated port, thus some specific routing rules (firewall, load balancers, etc)
-- third, it's a all of nothing choice. If you want to come back to a non-encrypted communication, you need to use another connection.</p>
-<p>This is the reason why the <strong>startTLS</strong> extended operation should be used.</p>
+- third, it's a all of nothing choice. If you want to return to a non-encrypted communication, you must use another connection.</p>
+<p>This is the why the <strong>startTLS</strong> extended operation should be used instead.</p>
 
 
     <div class="nav">