[Samba-it] Supporto SSL ldap+samba
Ottavio Campana
ottavio at campana.vi.it
Sun Dec 19 10:54:01 MST 2004
Simo Sorce ha scritto:
> Dipende da come lo configuri nella ozione "replica" se ci metti
> ldaps://host:port ...
non so se segui la lista di openldap ma l'ho appena chiesto. Faccio un
riassuntino, sperando che interessi non solo a me in questa lista:
> Should I use something like host=ldaps://servercopia:636 in them
> master and updateref "ldaps://serveroriginale:636" in the slave
> to use ssl and be secure?
You could leave it on port 389, use TLS, and be just as secure.
replica host=servercopia:389 binddn="cn=admin,dc=qualcosa"
bindmethod=simple credentials=passwordcopia starttls=critical
cui uno ha risposto
> You could leave it on port 389, use TLS, and be just as secure.
Quanah please be precise here: You are probably referring to StartTLS
extended operation sent over an existing LDAP connection. SSLv3 or TLSv1
is an encryption protocol above the transport layer encryption.
BTW: I see some security benefits when using LDAPS URIs over StartTLS
ext. op. You don't have to set another config parameter to make use of
SSL or TLS mandantory. But your mileage may vary.
E per finire
> Quanah please be precise here: You are probably referring to StartTLS
> extended operation sent over an existing LDAP connection. SSLv3 or
> TLSv1 is an encryption protocol above the transport layer encryption.
Man, nit-picky. ;P The end result is the same, your connection is
secured. True, it is not being used to do authentication, but they
should already know that, having supplied a bind mechanism of simple & a
password.
> BTW: I see some security benefits when using LDAPS URIs over StartTLS
> ext. op. You don't have to set another config parameter to make use of
> SSL or TLS mandantory. But your mileage may vary.
LDAPS is not part of the LDAP standard. So I disagree. ;)
--
Non c'è più forza nella normalità, c'è solo monotonia.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-it/attachments/20041219/2d7876b4/attachment.pgp>
More information about the samba-it
mailing list