You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Ralf Hauser (JIRA)" <ji...@apache.org> on 2006/06/08 22:34:29 UTC
[jira] Created: (DIRSERVER-639) allow to run ldaps only
allow to run ldaps only
-----------------------
Key: DIRSERVER-639
URL: http://issues.apache.org/jira/browse/DIRSERVER-639
Project: Directory ApacheDS
Type: Improvement
Components: ldap
Environment: all
Reporter: Ralf Hauser
In our environment, we should not disclose anything without encrypting it in transmission.
When trying to only start ldaps by simply not setting
cfg.setLdapPort(...);
apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
How can I avoid just
cfg.setLdapPort(2389);
or at least shutting it down immediately afterwards.
see also DIR-185
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (DIRSERVER-639) allow to run ldaps only
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Karasulu updated DIRSERVER-639:
------------------------------------
Fix Version/s: (was: 1.5.3)
1.5.5
> allow to run ldaps only
> -----------------------
>
> Key: DIRSERVER-639
> URL: https://issues.apache.org/jira/browse/DIRSERVER-639
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Environment: all
> Reporter: Ralf Hauser
> Fix For: 1.5.5
>
>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
> cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
> How can I avoid just
> cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-639) allow to run ldaps only
Posted by "Allen Wittenauer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12615010#action_12615010 ]
Allen Wittenauer commented on DIRSERVER-639:
--------------------------------------------
The problem with the "use a firewall" solution is that sometimes firewalls fail. It is much better if the app doesn't open the port at all.
Also, running ADS as non-root isn't the point; protecting the data going over the wire is the concern. Non-SSL LDAP traffic can be sniffed.
> allow to run ldaps only
> -----------------------
>
> Key: DIRSERVER-639
> URL: https://issues.apache.org/jira/browse/DIRSERVER-639
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Environment: all
> Reporter: Ralf Hauser
> Fix For: 1.5.5
>
>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
> cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
> How can I avoid just
> cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (DIRSERVER-639) allow to run ldaps only
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny resolved DIRSERVER-639.
-----------------------------------------
Resolution: Fixed
The configuration has been modified so that one can define a SSL transport only for the server.
> allow to run ldaps only
> -----------------------
>
> Key: DIRSERVER-639
> URL: https://issues.apache.org/jira/browse/DIRSERVER-639
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Environment: all
> Reporter: Ralf Hauser
> Fix For: 1.5.5
>
>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
> cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
> How can I avoid just
> cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-639) allow to run ldaps only
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12615013#action_12615013 ]
Emmanuel Lecharny commented on DIRSERVER-639:
---------------------------------------------
It has been postponed to 1.5.5, as 1.5.3 is already out (even if the announcement has not been done), and that 1.5.4 will follow shortly after (it's just an intermediate version with a lot of modifications in it).
The required feature (forbid the server to be run without encryption through configuration) will definitively be added.
> allow to run ldaps only
> -----------------------
>
> Key: DIRSERVER-639
> URL: https://issues.apache.org/jira/browse/DIRSERVER-639
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Environment: all
> Reporter: Ralf Hauser
> Fix For: 1.5.5
>
>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
> cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
> How can I avoid just
> cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-639) allow to run ldaps only
Posted by "Trustin Lee (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-639?page=comments#action_12415474 ]
Trustin Lee commented on DIRSERVER-639:
---------------------------------------
It seems like Ralf wants to disable LDAP and to enable LDAPS only for security reasons. It should be easy to fix.
> allow to run ldaps only
> -----------------------
>
> Key: DIRSERVER-639
> URL: http://issues.apache.org/jira/browse/DIRSERVER-639
> Project: Directory ApacheDS
> Type: Improvement
> Components: ldap
> Environment: all
> Reporter: Ralf Hauser
>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
> cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
> How can I avoid just
> cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (DIRSERVER-639) allow to run ldaps only
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-639:
----------------------------------------
Fix Version/s: 1.5.3
Postponed
> allow to run ldaps only
> -----------------------
>
> Key: DIRSERVER-639
> URL: https://issues.apache.org/jira/browse/DIRSERVER-639
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Environment: all
> Reporter: Ralf Hauser
> Fix For: 1.5.3
>
>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
> cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
> How can I avoid just
> cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (DIRSERVER-639) allow to run ldaps only
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny closed DIRSERVER-639.
---------------------------------------
> allow to run ldaps only
> -----------------------
>
> Key: DIRSERVER-639
> URL: https://issues.apache.org/jira/browse/DIRSERVER-639
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Environment: all
> Reporter: Ralf Hauser
> Fix For: 1.5.5
>
>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
> cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
> How can I avoid just
> cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-639) allow to run ldaps only
Posted by "Ralf Hauser (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-639?page=comments#action_12415473 ]
Ralf Hauser commented on DIRSERVER-639:
---------------------------------------
There are the following issues:
- nobody shall be able to send (query info, userid/password) nor retrieve information from our ldap server without protecting that with SSL/TLS
- by not setting cfg.setLdapPort() I hoped that unprotected ldap would not start at all, but it did start and simply took the default 389 port
- this caused the problem that I do not run the ldap server under root, so it could not bind to that socket
So there are two goals:
1) run the server in an ldapS config only, i.e. no listener (on port 389 or any other) shall honor non-protected ldap
2) run the server as non-root
Please let me know if there are questions to these goals.
P.S.: One idea was just if it is mandatory to also start an ldap during booting of the server, would it be possible to immediately after completing the start shut down the ldap and only keep the ldaps running
> allow to run ldaps only
> -----------------------
>
> Key: DIRSERVER-639
> URL: http://issues.apache.org/jira/browse/DIRSERVER-639
> Project: Directory ApacheDS
> Type: Improvement
> Components: ldap
> Environment: all
> Reporter: Ralf Hauser
>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
> cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
> How can I avoid just
> cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIRSERVER-639) allow to run ldaps only
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-639?page=comments#action_12415483 ]
Emmanuel Lecharny commented on DIRSERVER-639:
---------------------------------------------
Ok, get it !
There is something that bug me : the server is supposed to start on 10389, not 389, with default configuration, no?
Ok then, whatever. That's true that we don't have an option to start the server on SSL only. We can add one in a future release, that's not very difficult. But to me, it seems to be much more a firewall setting than anything else, isn't it? If you forbid incomming request to port xx389 in your firewall, it should be ok (at least, this is an option while waiting for a new version of ADS which will be SSL enabled only).
Second point, if you are running ADS in a Un*x box, then you have many choice, but do not run it as root. Even if using port 389, use a SUDO to launch the server, which should run using a special user (ldap, group ldap, for instance). If you choose to run on a port above 1024, you can launch ADS without using SUDO. You can also chroot the whole ADS for security reason. But never ever launch the server as root ! If this is not clear, we can add a page on confluence to help guys with such questions, because these are really important questions.
> allow to run ldaps only
> -----------------------
>
> Key: DIRSERVER-639
> URL: http://issues.apache.org/jira/browse/DIRSERVER-639
> Project: Directory ApacheDS
> Type: Improvement
> Components: ldap
> Environment: all
> Reporter: Ralf Hauser
>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
> cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
> How can I avoid just
> cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIRSERVER-639) allow to run ldaps only
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-639?page=comments#action_12415431 ]
Emmanuel Lecharny commented on DIRSERVER-639:
---------------------------------------------
Hmmmm... Could you give us a little bit more context information?
Thanks !
> allow to run ldaps only
> -----------------------
>
> Key: DIRSERVER-639
> URL: http://issues.apache.org/jira/browse/DIRSERVER-639
> Project: Directory ApacheDS
> Type: Improvement
> Components: ldap
> Environment: all
> Reporter: Ralf Hauser
>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
> cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
> How can I avoid just
> cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira