[CentOS] LDAP encryption, not sure.

Wed Feb 15 23:34:56 UTC 2012
Craig White <craig.white at ttiltd.com>

On Feb 14, 2012, at 5:46 PM, Fajar Priyanto wrote:

> Hi all,
> I'm setting up a local LDAP server with a pass-through authentication
> to another LDAP.
> I'm not clear about the encryption.
> 
> Say the case is like this. CompB is set to have LDAP authentication.
> A ---> SSH ---> CompB ---> Local LDAP:389 ---> SASLAUTHD --> Global LDAP: 636
> 
> 1. Password on the SSH session would be encrypted, isn't it?
----
ldaps (port 636) would indeed be encrypted but it is deprecated and not typically started by default configurations these days.
----
> 2. How about when it goes to the local LDAP:389, would it be encrypted?
----
depends upon whether TLS is indicated and/or required.

If you require it via an ACL on the LDAP server, then it succeeds only if the connection is made via TLS.

If you require it at the client (TLS_ReqCert demand or hard), then it succeeds only if the connection is made via TLS.

Craig