Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StartTLS connections #4

Open
slunski opened this issue May 6, 2019 · 6 comments
Open

StartTLS connections #4

slunski opened this issue May 6, 2019 · 6 comments
Assignees
@Altai-man
Labels
auth/security

Comments

@slunski
Copy link

slunski commented May 6, 2019

StartTLS support on new connections is important, especially via Internet.

And that require bindings to something like OpenSSL.
@Altai-man Altai-man self-assigned this May 6, 2019
@Altai-man
Copy link
Owner

/me hopes using glauth server as a target for integration tests is ok enough.

@Altai-man
Copy link
Owner

Altai-man commented May 9, 2019
edited
Loading

Nope, it seems that go-ldap does not support StartTLS operation.
I am finding configuring OpenLDAP relatively complicated on my a bit rarely used distro, Void Linux it is...

@slunski do you know any lightweight servers I can use to test against? Or maybe some public server with StartTLS support I can use.

Implementing LDAP over SSL as ldaps seems not so hard too, probably have to implement it too, but it is deprecated and I would like to sort out things with StartTLS first.

@Altai-man
Copy link
Owner

@slunski and I see ldaps being advised compared to StartTLS... What do you think about implementing it instead(at least for the time being), will it make things better?

@slunski
Copy link
Author

slunski commented May 10, 2019

If I remember corectly 'ldaps' is not so good, StartTLS via 389 is prefered. Anyway, those days 'SSL' means TLS1.x...

Testing: I would just test on OpenLDAP. However RedHad's port389.org aka Sun Directory Server aka Netscape Directory Server could be good too. It was very good, no data from current decade...

Setting tunel with OpenSSL tools should also be possible for testing becouse that StartTLS is just outer layer to the protocol.

Generally LDAP servers are usually backend servers so no really encryption is needed. On-premise infrastructure speaking... Cloud is just... cloud... Also, as backend database running on same host as service using it 'ldapi://' protocol can be used - Unix/localhost sockets.

But OSI 'The Directory' - X.500 - was designed as general information sharing service: home adresses, phone book, DNS replacement, configuration storage, any data that have hierarchical structure. So from that point of view and in that Internet time-frame encryption would be big improvement over eg. DNS. Key motivation is speed - directory servers should are specialised for 1000:1 read to write ratio. If directory implementation isn't faster then eg. relational database then there is no point in using it.

However, as you noticed, public directory servers are probably nonexistent... LDAP is rather used in enterprise infrastructures. So encryption depends on use-case.

@Altai-man
Copy link
Owner

In the meanwhile, implemented LDAPS support, though not yet documented, really short on time these days.

@Altai-man
Copy link
Owner

Documented LDAPS support a91fc54

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Altai-man Altai-man

Labels
auth/security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@slunski @Altai-man