LDAP over SSL with secldapclntd

zaxxon · #1 (**permalink**) 05-08-2009

Hi all,

I have set up the AIX LDAP client on AIX 5.3.9 and it's working fine, using the descriptions in the Redbook for implementing LDAP in a heterogenous environment.
I added SSL encryption to the LDAP client demon's config and created a key-db and imported a signed certificate from our CA.

When I use ldapsearch with SSL and watch the traffic with tcpdump, everything is encrypted as it is supposed to be.
When issuing lsldap, the traffic is encrypted too.

When I try to login with an LDAP-only account, I can get on the system without problem, but the traffic is not encrypted at all. I can see in the tcpdump output everything uncrypted.

I tried a lot of different settings, but without success. Here is my current ldap.cfg:

Code:

serverschematype:rfc2307
ldapservers:10.10.10.10
binddn:cn=admin,o=services
bindpwd:{DESv2}somethingcryptedhere
authtype:ldap_auth
searchmode:OS
useSSL:yes
ldapsslport:636
ldapsslkeyf:/etc/security/ldap/key.kdb
ldapsslkeypwd:{DESv2}somethingcryptedhere
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:ou=users,o=company,c=de
groupbasedn:ou=users,o=company,c=de
defaultentrylocation:LDAP

I can't see what I am missing or having setup wrong. I checked many sites about the topic but they all don't give more information than the Redbook already. Thanks a lot for any hint.

funksen · #2 (**permalink**) 05-08-2009

hm?

the ldap-encryption just encrypts the communication to the ldap-server, like authentication, user/group information, ldapsearch too of course

once you are on the machine, ldaps job is done, you need to use ssh/sftp to encrypt the whole datatransfer

edit: oh I guess you mean the login information is not encrypted?

I use almost the same setup with tivoli directory server, I'll see if it's not encrypted too on my aix systems, would be very bad if thats the case

zaxxon · #3 (**permalink**) 05-08-2009

Quote:

the ldap-encryption just encrypts the communication to the ldap-server, like authentication, user/group information, ldapsearch

That's just what it seems not to do when I do an ssh login with an LDAP based account. But I guess I found out what's going wrong, since there is a shell script being called doing an ldapsearch to sort out different loginshells based on ldapgroups etc.

Sorry for the noise, I found it.

funksen · #4 (**permalink**) 05-08-2009

ok so I don't have to analyse the tcpdump, hate that

you could close port 389 on your ldap-server, so there is no way to send unencrypted information

zaxxon · #5 (**permalink**) 07-02-2009

Hi,
I just got another question on LDAP over SSL:
On Linux you can configure in ldap.cfg with "TLS_REQCERT = allow" that any CA is accepted. Is there any option to do that on AIX? I checked all possible options /etc/security/ldap/ldap.cfg and didn't find one that might be similar to that mentioned above on Linux.

Goal is to bypass the CA certificates that expire in 2 years causing an update etc. on more than 100 servers. We want to have SSL encrypted communication for ldap (secldapclntd) and ldapsearch etc. while accepting every kind of certificate/CA.

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
LDAP - is there an API	phykell	High Level Programming	3	09-06-2008 05:03 AM
LDAP help	Katkota	UNIX for Dummies Questions & Answers	0	12-06-2007 11:30 PM
Ldap	dipanrc	Linux	2	12-28-2005 08:09 PM
ksh -> LDAP	Juan	UNIX for Advanced & Expert Users	2	04-05-2005 04:18 AM
Ssl Ldap	truma1	UNIX for Advanced & Expert Users	0	11-23-2004 08:51 AM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: