[Samba-it] Supporto SSL ldap+samba

Ottavio Campana ottavio at campana.vi.it
Sun Dec 19 10:54:01 MST 2004 

Simo Sorce ha scritto:
> Dipende da come lo configuri nella ozione "replica" se ci metti
> ldaps://host:port ...

non so se segui la lista di openldap ma l'ho appena chiesto. Faccio un 
riassuntino, sperando che interessi non solo a me in questa lista:

 > Should I use something like host=ldaps://servercopia:636 in them
 > master and updateref "ldaps://serveroriginale:636" in the slave
 > to use ssl and be secure?

You could leave it on port 389, use TLS, and be just as secure.

replica host=servercopia:389 binddn="cn=admin,dc=qualcosa"
          bindmethod=simple credentials=passwordcopia starttls=critical

cui uno ha risposto

 > You could leave it on port 389, use TLS, and be just as secure.

Quanah please be precise here: You are probably referring to StartTLS 
extended operation sent over an existing LDAP connection. SSLv3 or TLSv1 
is an encryption protocol above the transport layer encryption.

BTW: I see some security benefits when using LDAPS URIs over StartTLS 
ext. op. You don't have to set another config parameter to make use of 
SSL or TLS mandantory. But your mileage may vary.

E per finire

 > Quanah please be precise here: You are probably referring to StartTLS
 > extended operation sent over an existing LDAP connection. SSLv3 or
 > TLSv1 is an encryption protocol above the transport layer encryption.

Man, nit-picky. ;P  The end result is the same, your connection is 
secured. True, it is not being used to do authentication, but they 
should already know that, having supplied a bind mechanism of simple & a 
password.

 > BTW: I see some security benefits when using LDAPS URIs over StartTLS
 > ext. op. You don't have to set another config parameter to make use of
 > SSL or TLS mandantory. But your mileage may vary.

LDAPS is not part of the LDAP standard.  So I disagree. ;)

-- 
Non c'è più forza nella normalità, c'è solo monotonia.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-it/attachments/20041219/2d7876b4/attachment.pgp>

More information about the samba-it mailing list