|
Home > Archive > Apache Directory Project > September 2005 > [Servser] SSL Support?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Servser] SSL Support?
|
|
| Marc Boorshtein 2005-09-22, 7:45 am |
| I thought I read somewhere that apacheds supports SSL (in the ldap listener)
with Java 5, but I can't find any docs. How is this setup?
Thanks
Marc
| |
| Nick Faiz 2005-09-22, 8:45 pm |
| Id like to know too. I had thought it wasn't available.
Nick
On 9/22/05, Marc Boorshtein <mboorshtein-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> I thought I read somewhere that apacheds supports SSL (in the ldap listen=
er)
> with Java 5, but I can't find any docs. How is this setup?
>
> Thanks
> Marc
>
| |
| Trustin Lee 2005-09-22, 8:45 pm |
| There's no SSL support for ApacheDS-server yet. We have to improve MINA to
support SASL first.
Trustin
2005/9/22, Marc Boorshtein <mboorshtein-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:
>
> I thought I read somewhere that apacheds supports SSL (in the ldap
> listener) with Java 5, but I can't find any docs. How is this setup?
>
> Thanks
> Marc
>
--
what we call human nature is actually human habit
--
http://gleamynode.net/
| |
| Trustin Lee 2005-09-22, 8:45 pm |
| I thought SASL is required for LDAP to authenticate user in a secure way and
LDAPS works with SASL only. Am I misunderstanding? Let me know. I'm a novice
in LDAP. 
Trustin
2005/9/22, Marc Boorshtein <mboorshtein-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:
>
> I'm not sure I understand why SASL support is required to support SSL.
> Isn't SASL and application level protocol where as SSL is at lower level?
>
> Marc
>
> On 9/22/05, Trustin Lee <trustin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org<https://mail.google.com/mail?view=c...ublic.gmane.org>>
> wrote:
>
>
>
--
what we call human nature is actually human habit
--
http://gleamynode.net/
| |
| Marc Boorshtein 2005-09-22, 8:45 pm |
| It looks like MINA-111 adds support for SSL, but there are no docs on how to
enable it.
Marc
On 9/22/05, Trustin Lee <trustin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> There's no SSL support for ApacheDS-server yet. We have to improve MINA to
> support SASL first.
>
> Trustin
>
> 2005/9/22, Marc Boorshtein <mboorshtein-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org >:
>
>
>
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/
| |
|
|
| David Boreham 2005-09-22, 8:45 pm |
| Marc Boorshtein wrote:
> It looks like MINA-111 adds support for SSL, but there are no docs on
> how to enable it.
We use SSL with ApacheDS inside the NT4 LDAP server
we ship with Fedora Directory Server. The source is open
(from memory we added one or two minor things to support
easy cert configuration). The ApacheDS/Mina code has probably
changed quite a bit since then though.
| |
| Stefan Zoerner 2005-09-22, 8:45 pm |
| Hi Trustin!
> I thought SASL is required for LDAP to authenticate user in a secure way
and LDAPS works with SASL only. Am I
> misunderstanding? Let me know. I'm a novice in LDAP.
As far as I know, LDAPS is comparable to HTTPS. It just adds a layer
between LDAP and TCP/IP. Especially It has nothing to do with SASL.
Normally, you have two different ports an LDAP server is listening on: 389
for LDAP unencrypted, and 636 for LDAP over SSL/TLS (like 80/443 with
HTTP). Using LDAPS it is possible to to use a simple bind (with pwd in
clear) within SSL/TLS, therefore it is encrypted nevertheless. Using SASL
(e.g. DIGEST-MD5) is another option for a secure authentication. A third
one would be using an anonymous bind, using StartTLS (extended operation)
and after successfully establishing TLS on the same connection a rebind
with credentials.
I hope this helps (and is right as well ;-)
Stefan
| |
| David Boreham 2005-09-22, 8:45 pm |
| Trustin Lee wrote:
> I thought SASL is required for LDAP to authenticate user in a secure
> way and LDAPS works with SASL only. Am I misunderstanding? Let me
> know. I'm a novice in LDAP.
>
Nope, SASL and SSL are orthogonal (well, nearly).
If (and only if) you want to perform cert-based authentication in
a standard way, then you need to support the SASL-EXTERNAL
mechanism. But almost nobody needs this. Basic SSL does
not depend on SASL (and in fact SASL-EXTERNAL doesn't
really depend on SASL either ;)
| |
| Marc Boorshtein 2005-09-22, 8:45 pm |
| Well, it depends on your needs. If you are going to use public key
authentication, then yes you would need SASL. However if all you want is
transport level security then you only need to enable SSL (with a key&cert)..
This way users are still authenticated using simple binds but the
communications are encrypted.
Marc
On 9/22/05, Trustin Lee <trustin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> I thought SASL is required for LDAP to authenticate user in a secure way
> and LDAPS works with SASL only. Am I misunderstanding? Let me know. I'm a
> novice in LDAP.
>
> Trustin
>
> 2005/9/22, Marc Boorshtein <mboorshtein-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:
>
>
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/
>
| |
| Trustin Lee 2005-09-22, 8:45 pm |
| Hi Stefan,
Thank you for your clarification! So there are two ways for users to
authenticate themselves in a secure manner; one with LDAPS and the other
with SASL, right?
Thanks again,
Trustin
2005/9/22, Stefan Zoerner <SZOERNER-tA70FqPdS9bQT0dZR+AlfA@public.gmane.org>:
>
>
> Hi Trustin!
>
> and LDAPS works with SASL only. Am I
>
> As far as I know, LDAPS is comparable to HTTPS. It just adds a layer
> between LDAP and TCP/IP. Especially It has nothing to do with SASL.
> Normally, you have two different ports an LDAP server is listening on: 389
> for LDAP unencrypted, and 636 for LDAP over SSL/TLS (like 80/443 with HTTP).
> Using LDAPS it is possible to to use a simple bind (with pwd in clear)
> within SSL/TLS, therefore it is encrypted nevertheless. Using SASL (e.g.
> DIGEST-MD5) is another option for a secure authentication. A third one would
> be using an anonymous bind, using StartTLS (extended operation) and after
> successfully establishing TLS on the same connection a rebind with
> credentials.
>
> I hope this helps (and is right as well ;-)
> Stefan
>
>
--
what we call human nature is actually human habit
--
http://gleamynode.net/
| |
| David Boreham 2005-09-22, 8:45 pm |
| Trustin Lee wrote:
> Thank you for your clarification! So there are two ways for users to
> authenticate themselves in a secure manner; one with LDAPS and the
> other with SASL, right?
Not quite. SASL is the generic authentication framework.
It has various alternative mechanisms. One of them is
SASL-EXTERNAL, which basically says 'get the authentication
credentials from the transport layer' (SSL in this case).
There are other SASL mechanisms, such as GSSAPI
where the credentials come in the BIND PDU payload.
So to perform cert-based auth to an LDAP server,
you use both SSL and SASL.
| |
| Nick Faiz 2005-09-22, 8:45 pm |
| Hi,
David Boreham wrote:
>
>
Yes, David's explanation about external SASL auth. via certificates was
helpful.
I've recently had to wrap my head about this stuff too. A nice way of
being reminded that SASL is a generic mechanism allow for a variety of
authentication methods is to ask the LDAP server which SASL methods of
auth. it supports:
ldapsearch -D 'cn=admin,dc=acme,dc=org' -x -w ***** -s base -b ''
objectclass=* supportedsaslmechanisms
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: objectclass=*
# requesting: supportedsaslmechanisms
#
#
dn:
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
Via JNDI you specify which algorithm you want to use in the security
protocol environment property. So, from the above, I can tell that the
particular openldap instance supports two methods of SASL auth..
Nick
>
> Not quite. SASL is the generic authentication framework.
> It has various alternative mechanisms. One of them is
> SASL-EXTERNAL, which basically says 'get the authentication
> credentials from the transport layer' (SSL in this case).
> There are other SASL mechanisms, such as GSSAPI
> where the credentials come in the BIND PDU payload.
>
> So to perform cert-based auth to an LDAP server,
> you use both SSL and SASL.
>
>
>
--
ATLASSIAN - http://www.atlassian.com/
Confluence - the enterprise wiki - tried it yet?
http://www.atlassian.com/confluence/
--
|
|
|
|
|