[Scottish] Quick ldap question

Keith Sharp kms at passback.co.uk
Wed Jul 4 16:49:17 BST 2007 

On Wed, 2007-07-04 at 15:27 +0100, Phillip Bennett wrote:
> Hi everyone,
> 
> As I have previously mentioned, I have spent the last few weeks setting up 
> an ldap server.  So far, I have got authentication working for logins and 
> samba (even created a domain and joined it!).
> 
> My question is this:
> 
> What is needed to make it secure?  I have set it up to work with SSL/TLS and 
> can see the packets going to and from the server on port 636 (ldaps).  As 
> far as I'm aware this is secure.  However, all the documentation I can find 
> on the web tells me that sasl and/or kerberos is needed to make it 
> super-secure.  Is this correct?  Do people think it's needed, or is it good 
> enough to be using TLS?

SASL and Kerberos are primarily methods of authentication whereas
SSL/TLS are primarily methods of encryption.  In terms of securing your
LDAP setup you need to consider the following:

1) Don't store passwords in the directory in clear-text, always use
hashes to store passwords.

2) Use ACLs to restrict access to different parts of the directory.  Few
users or applications should have access to everything.

3) Don't allow anonymous binds to the directory.  All applications that
need to access the directory should bind using their own credentials (in
the case of daemons) or their users credentials (in the case of user
applications).

4) Only allow encrypted connections using SSL or TLS, disable clear-text
access.

You could add Kerberos or SASL as a requirement for authenticating
access requests to the directory but unless you were going to implement
something like Single Sign On I don't see what it would buy you.

> I notice that some of the ldap tools don't work properly without it, but the 
> ones I need do so it's not too much of an issue just yet.  My biggest thing 
> is that it's taking a LOT longer than I thought.  I would rather make it 
> "good" than "cheap", but is the extra time this would take worth it?

Which tools don't work without what?  The time you put in now you should
get back in the future.  Once you have your LDAP infrastructure up and
running adding new users, devices, and services, should be much simpler.

Keith.

More information about the Scottish mailing list