Author Topic: LDAP encryption  (Read 3114 times)

nadr

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
LDAP encryption
« on: August 22, 2011, 09:32:16 pm »
I know out of the box Zentyal doesn't have the option to use SSL or TLS with LDAP, but is there an easy (maybe a recommended how-to) way to enable it?

ichat

  • Zen Hero
  • *****
  • Posts: 795
  • Karma: +28/-16
  • RTFM!
    • View Profile
Re: LDAP encryption
« Reply #1 on: August 23, 2011, 08:33:37 am »
configure ldp access trough a tunnel... (ssh or  vpn) if you need it for a remote site)..
All tips hints and advices are based on my personal experience.
As I try my best to be as accurate as possible, following my advice is always at your own risk,
I claim absolutely NO responsibility in any way!

christian

  • Guest
Re: LDAP encryption
« Reply #2 on: August 23, 2011, 10:16:32 am »
ichat,

VPN might be the right option for site-to-site connectivity or remote access for multiple protocols.
Question about "secure" LDAP is also valid on the Intranet where VPN would not make sense.

What you have to know is that LDAP protocol uses base64 encoding (not encryption  :P) meaning when one authenticate using LDAP protocol, then anyone on same LAN can quite easy sniff and retrieve password. As strategy is to have all applications and services relying on LDAP, it makes this solution highly unsecured if LDAPS is not used for authentication.

So rephrasing question: how to enable LDAPS (LDAP over TLS or SSL)?

1 - LDAP is already configured in Zentyal to implement secure LDAP connection (replication is done using LDAPS)
2 - it's more a matter of client configuration and firewall to authorize access on port 443
3 - look at openldap documentation. Once server is LDAPS ready, it's mainly done client side.

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Re: LDAP encryption
« Reply #3 on: September 12, 2011, 09:10:04 am »
IIRC SSL config is already inside LDAP tree, just change init scripts to make slapd listen also in ldaps port, see /etc/init/ebox.slapd*.