You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Linus van Geuns <li...@vangeuns.name> on 2010/01/06 15:48:00 UTC
Re: [ApacheDS] Ceritficate for StartTLS
Hi!
On Wed, Jan 6, 2010 at 3:26 PM, Beat Burgener | NetSuccess GmbH
<be...@netsuccess.ch> wrote:
[..]
> BTW3: Is there a way to force StartTLS an LDAP connection using port 389 via
> the ApacheDS configuration?
> That's why I use LDAPS, which does not support plain text connections AFAIK.
> For LDAP, I don't feel in the position to control that
> as the client use StartTLS or not ...
AFAIK it is valid LDAP protocol behavior for a client to just connect
to the server using plain text simple bind and thereby sending
passwords in clear text to your server.
The server could reject that request, but the client is not forced to
look up server policies before it's first request.
Therefore you need to ensure that your clients are configured to use StartTLS.
Regards, Linus
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Beat Burgener | NetSuccess GmbH <be...@netsuccess.ch>.
Dear Linus
Thank you for clarifying this!
Great insight knowledge.
Best regards
Beat
On 06.01.2010 19:42 PM, Linus van Geuns wrote:
> Hey Beat!
>
> On Wed, Jan 6, 2010 at 5:00 PM, Beat Burgener | NetSuccess GmbH
> <be...@netsuccess.ch> wrote:
>
>> Steven,
>>
>> thank you for pointing this out.
>>
>> @Stefan/Emmanuel
>>
>> What would be the equivalent for the configuration file?
>>
>> I assume that the client would try to send the username before the password,
>> and if that fails,
>>
> In fact, no!
> Most simple LDAP clients configured with a static distinguished name
> (user name) and password, will create a tcp connection to your server
> and send a bind request containing distinguished name and password.
> The server may reject that request and the client may issue a StartTLS
> in reaction to that, but it is still valid LDAP client behavior to
> just connect& bind w/o asking for server policies first.
>
> On the other hand, if your cleints for example are configured to do a
> anonymous search for the distinguised name to bind as before the bind
> request itself, it will get the server side rejection of unencrypted
> requests first.
>
> And, of course, if your client is configured to enforce a StartTLS
> encrypted connection, it will issue a STartTLS first and wont continue
> w/o setting up encryption.
>
> Regards, Linus
>
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Linus van Geuns <li...@vangeuns.name>.
Hey Beat!
On Wed, Jan 6, 2010 at 5:00 PM, Beat Burgener | NetSuccess GmbH
<be...@netsuccess.ch> wrote:
> Steven,
>
> thank you for pointing this out.
>
> @Stefan/Emmanuel
>
> What would be the equivalent for the configuration file?
>
> I assume that the client would try to send the username before the password,
> and if that fails,
In fact, no!
Most simple LDAP clients configured with a static distinguished name
(user name) and password, will create a tcp connection to your server
and send a bind request containing distinguished name and password.
The server may reject that request and the client may issue a StartTLS
in reaction to that, but it is still valid LDAP client behavior to
just connect & bind w/o asking for server policies first.
On the other hand, if your cleints for example are configured to do a
anonymous search for the distinguised name to bind as before the bind
request itself, it will get the server side rejection of unencrypted
requests first.
And, of course, if your client is configured to enforce a StartTLS
encrypted connection, it will issue a STartTLS first and wont continue
w/o setting up encryption.
Regards, Linus
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Beat Burgener | NetSuccess GmbH <be...@netsuccess.ch>.
Steven,
thank you for pointing this out.
@Stefan/Emmanuel
What would be the equivalent for the configuration file?
I assume that the client would try to send the username before the
password, and if that fails,
it will hopefully not ignore that fact and will not send the password ...
;-)
Regards
Beat
On 06.01.2010 16:16 PM, Hammond, Steven wrote:
> I use ApacheDS embedded instead of the config file. But to force startTLS I have:
> apacheds = new LdapServer();
> apacheds.setConfidentialityRequired(true);
>
> When a client is connected unencrypted, the only command allowed is startTLS, all others are rejected.
>
> -----Original Message-----
> From: Linus van Geuns [mailto:linus@vangeuns.name]
> Sent: Wednesday, January 06, 2010 7:48 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] Ceritficate for StartTLS
>
> Hi!
>
> On Wed, Jan 6, 2010 at 3:26 PM, Beat Burgener | NetSuccess GmbH
> <be...@netsuccess.ch> wrote:
> [..]
>
>> BTW3: Is there a way to force StartTLS an LDAP connection using port 389 via
>> the ApacheDS configuration?
>> That's why I use LDAPS, which does not support plain text connections AFAIK.
>> For LDAP, I don't feel in the position to control that
>> as the client use StartTLS or not ...
>>
> AFAIK it is valid LDAP protocol behavior for a client to just connect
> to the server using plain text simple bind and thereby sending
> passwords in clear text to your server.
> The server could reject that request, but the client is not forced to
> look up server policies before it's first request.
>
> Therefore you need to ensure that your clients are configured to use StartTLS.
>
> Regards, Linus
>
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Emmanuel Lcharny <el...@gmail.com>.
Hammond, Steven a écrit :
> I use ApacheDS embedded instead of the config file. But to force startTLS I have:
> apacheds = new LdapServer();
> apacheds.setConfidentialityRequired(true);
>
> When a client is connected unencrypted, the only command allowed is startTLS, all others are rejected.
>
Thanks Steven !
And happy new year :)
RE: [ApacheDS] Ceritficate for StartTLS
Posted by "Hammond, Steven" <St...@Polycom.com>.
I use ApacheDS embedded instead of the config file. But to force startTLS I have:
apacheds = new LdapServer();
apacheds.setConfidentialityRequired(true);
When a client is connected unencrypted, the only command allowed is startTLS, all others are rejected.
-----Original Message-----
From: Linus van Geuns [mailto:linus@vangeuns.name]
Sent: Wednesday, January 06, 2010 7:48 AM
To: users@directory.apache.org
Subject: Re: [ApacheDS] Ceritficate for StartTLS
Hi!
On Wed, Jan 6, 2010 at 3:26 PM, Beat Burgener | NetSuccess GmbH
<be...@netsuccess.ch> wrote:
[..]
> BTW3: Is there a way to force StartTLS an LDAP connection using port 389 via
> the ApacheDS configuration?
> That's why I use LDAPS, which does not support plain text connections AFAIK.
> For LDAP, I don't feel in the position to control that
> as the client use StartTLS or not ...
AFAIK it is valid LDAP protocol behavior for a client to just connect
to the server using plain text simple bind and thereby sending
passwords in clear text to your server.
The server could reject that request, but the client is not forced to
look up server policies before it's first request.
Therefore you need to ensure that your clients are configured to use StartTLS.
Regards, Linus