Re: ldap + pam howto?
On Tue, Feb 06, 2007 at 09:22:40AM -0500, Grok Mogger wrote: > Now here's my question: > I never could figure out the SASL stuff. I didn't even get > the concept. I thought I did several times, then I'd read > something else and it wouldn't make sense again. So let's try > this slowly =) > > The LDAP client usually just sends all data (passwords > included!) in the clear to the LDAP server. This is bad. SASL > encrypts all the communication between the client and server. > > Okay, now if I've at least got that much right > > 1) How do I make the client and server use SASL? I was forever > at a loss on this. Never could find a How-To for it or > anything. (Every How-To I found on LDAP started off with > something to the effect of "SASL is beyond the scope of this > document" =P ) Does this help: http://people.debian.org/~torsten/ldapnss.html -- Chris. == Don't forget to check that your /etc/apt/sources.lst entries point to etch and not testing, otherwise you may end up with a broken system once etch goes stable. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ldap + pam howto?
Roberto C. Sanchez wrote: On Tue, Feb 06, 2007 at 10:56:11AM -0500, Grok Mogger wrote: So forget SASL and just send everything through an SSL tunnel? So you'd do something like this on the client... "ssh -L :LDAPServer:$LDAPServerPORT -N [EMAIL PROTECTED]", and then setup the LDAP client to send everything to the client's own port? And do something similar on the server. Is that right? Nope, edit /etc/defaults/slapd and tell it to bind to "ldap://127.0.0.1:389/ ldaps:/// ldapi:///" That tells it, clear text only on the loopback, SSL everywhere and also the Unix domain socket (only accessible on the local filesystem if you have the right permissions). Of course, you will need to setup certificates. You can read the LDAP admin guide and the SSL docs for that. Regards, -Roberto Hm, doesn't sound too bad. Cool, thanks! - GM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.17.28/672 - Release Date: 2/6/2007 10:22 AM -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ldap + pam howto?
On Tue, Feb 06, 2007 at 10:56:11AM -0500, Grok Mogger wrote: > > So forget SASL and just send everything through an SSL tunnel? > So you'd do something like this on the client... "ssh -L > :LDAPServer:$LDAPServerPORT -N [EMAIL PROTECTED]", and then > setup the LDAP client to send everything to the client's own > port? And do something similar on the server. Is that right? > Nope, edit /etc/defaults/slapd and tell it to bind to "ldap://127.0.0.1:389/ ldaps:/// ldapi:///" That tells it, clear text only on the loopback, SSL everywhere and also the Unix domain socket (only accessible on the local filesystem if you have the right permissions). Of course, you will need to setup certificates. You can read the LDAP admin guide and the SSL docs for that. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: ldap + pam howto?
Roberto C. Sanchez wrote: On Tue, Feb 06, 2007 at 09:22:40AM -0500, Grok Mogger wrote: The LDAP client usually just sends all data (passwords included!) in the clear to the LDAP server. This is bad. SASL encrypts all the communication between the client and server. Right, but your passwords should be hashed anyways. Okay, now if I've at least got that much right 1) How do I make the client and server use SASL? I was forever at a loss on this. Never could find a How-To for it or anything. (Every How-To I found on LDAP started off with something to the effect of "SASL is beyond the scope of this document" =P ) Because even though SASL is the "simple" authentication and security layer, it is far from simple. 2) Once I've enabled SASL (enabled? Is that even the right term?) how can I see if it's working? Personally, I just force everything (client and server) into using SSL. Then, when I want to do stuff like use the LDAP backend to also do authentication for parts of my website (that way users can use the same password to login and to access the site), I know that no matter what, everything is ecrypted. Also, IIRC, SASL can only encrypt the authentication part. So everything after that, including queries, are in the clear. Regards, -Roberto So forget SASL and just send everything through an SSL tunnel? So you'd do something like this on the client... "ssh -L :LDAPServer:$LDAPServerPORT -N [EMAIL PROTECTED]", and then setup the LDAP client to send everything to the client's own port? And do something similar on the server. Is that right? The thought had occurred to me, but SASL sounded like it was what I was *supposed* to do. If someone experienced out there is doing this though, then I'm fine with that. Sounds like it might be a better solution anyway. Thanks for helping me out, - GM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.17.28/672 - Release Date: 2/6/2007 10:22 AM -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ldap + pam howto?
On Tue, Feb 06, 2007 at 09:22:40AM -0500, Grok Mogger wrote: > > The LDAP client usually just sends all data (passwords > included!) in the clear to the LDAP server. This is bad. SASL > encrypts all the communication between the client and server. > Right, but your passwords should be hashed anyways. > Okay, now if I've at least got that much right > > 1) How do I make the client and server use SASL? I was forever > at a loss on this. Never could find a How-To for it or > anything. (Every How-To I found on LDAP started off with > something to the effect of "SASL is beyond the scope of this > document" =P ) > Because even though SASL is the "simple" authentication and security layer, it is far from simple. > 2) Once I've enabled SASL (enabled? Is that even the right > term?) how can I see if it's working? > Personally, I just force everything (client and server) into using SSL. Then, when I want to do stuff like use the LDAP backend to also do authentication for parts of my website (that way users can use the same password to login and to access the site), I know that no matter what, everything is ecrypted. Also, IIRC, SASL can only encrypt the authentication part. So everything after that, including queries, are in the clear. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: ldap + pam howto?
Roberto C. Sanchez wrote: On Tue, Jan 30, 2007 at 05:04:48PM +, Rakotomandimby Mihamina wrote: Hi, I am using Testing, and I want to setup the debian way an LDAP + pam authentication system for system users. Would you know a recent howto talking about that? I dont need generic howto, I am interested in the debian specific way. Do you need to configure just the client, just the server, or both? Regards, -Roberto Hmmm maybe if I reply with something helpful I can also piggy-back a question of my own? }:) I was messing around with exactly the same thing a while ago, and this was the best How-To I found. It is for Sarge, but that didn't seem to matter. As much as I sing the praises of this one, it wasn't perfect. I seem to recall using several How-To's because none of them seemed to have all the answers. http://www.moduli.net/pages/sarge-ldap-auth-howto Now here's my question: I never could figure out the SASL stuff. I didn't even get the concept. I thought I did several times, then I'd read something else and it wouldn't make sense again. So let's try this slowly =) The LDAP client usually just sends all data (passwords included!) in the clear to the LDAP server. This is bad. SASL encrypts all the communication between the client and server. Okay, now if I've at least got that much right 1) How do I make the client and server use SASL? I was forever at a loss on this. Never could find a How-To for it or anything. (Every How-To I found on LDAP started off with something to the effect of "SASL is beyond the scope of this document" =P ) 2) Once I've enabled SASL (enabled? Is that even the right term?) how can I see if it's working? Thanks, and I hope I'm not developing an irritating habit of thread hi-jacking, =) - GM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.17.28/672 - Release Date: 2/6/2007 10:22 AM -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ldap + pam howto?
On Tue, Jan 30, 2007 at 05:04:48PM +, Rakotomandimby Mihamina wrote: > Hi, > I am using Testing, and I want to setup the debian way an LDAP + pam > authentication system for system users. > Would you know a recent howto talking about that? > I dont need generic howto, I am interested in the debian specific way. > Do you need to configure just the client, just the server, or both? Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: ldap + pam howto?
On Tuesday 30 January 2007 10:04, Rakotomandimby Mihamina wrote: > Hi, > I am using Testing, and I want to setup the debian way an LDAP + pam > authentication system for system users. > Would you know a recent howto talking about that? > I dont need generic howto, I am interested in the debian specific way. > > Thanks a lot! See the following web page: http://people.debian.org/~torsten/ldapnss.html John -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ldap + pam howto?
Hi, I am using Testing, and I want to setup the debian way an LDAP + pam authentication system for system users. Would you know a recent howto talking about that? I dont need generic howto, I am interested in the debian specific way. Thanks a lot! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]