LDAP over SSL with secldapclntd

zaxxon · May 8, 2009, 7:31am

Hi all,

I have set up the AIX LDAP client on AIX 5.3.9 and it's working fine, using the descriptions in the Redbook for implementing LDAP in a heterogenous environment.
I added SSL encryption to the LDAP client demon's config and created a key-db and imported a signed certificate from our CA.

When I use ldapsearch with SSL and watch the traffic with tcpdump, everything is encrypted as it is supposed to be.
When issuing lsldap, the traffic is encrypted too.

When I try to login with an LDAP-only account, I can get on the system without problem, but the traffic is not encrypted at all. I can see in the tcpdump output everything uncrypted.

I tried a lot of different settings, but without success. Here is my current ldap.cfg:

serverschematype:rfc2307
ldapservers:10.10.10.10
binddn:cn=admin,o=services
bindpwd:{DESv2}somethingcryptedhere
authtype:ldap_auth
searchmode:OS
useSSL:yes
ldapsslport:636
ldapsslkeyf:/etc/security/ldap/key.kdb
ldapsslkeypwd:{DESv2}somethingcryptedhere
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:ou=users,o=company,c=de
groupbasedn:ou=users,o=company,c=de
defaultentrylocation:LDAP

I can't see what I am missing or having setup wrong. I checked many sites about the topic but they all don't give more information than the Redbook already. Thanks a lot for any hint.

funksen · May 8, 2009, 7:41am

hm?

the ldap-encryption just encrypts the communication to the ldap-server, like authentication, user/group information, ldapsearch too of course

once you are on the machine, ldaps job is done, you need to use ssh/sftp to encrypt the whole datatransfer

edit: oh I guess you mean the login information is not encrypted?

I use almost the same setup with tivoli directory server, I'll see if it's not encrypted too on my aix systems, would be very bad if thats the case

zaxxon · May 8, 2009, 7:47am

That's just what it seems not to do when I do an ssh login with an LDAP based account. But I guess I found out what's going wrong, since there is a shell script being called doing an ldapsearch to sort out different loginshells based on ldapgroups etc.

Sorry for the noise, I found it.

funksen · May 8, 2009, 7:52am

ok so I don't have to analyse the tcpdump, hate that

you could close port 389 on your ldap-server, so there is no way to send unencrypted information

zaxxon · July 2, 2009, 9:45am

Hi,
I just got another question on LDAP over SSL:
On Linux you can configure in ldap.cfg with "TLS_REQCERT = allow" that any CA is accepted. Is there any option to do that on AIX? I checked all possible options /etc/security/ldap/ldap.cfg and didn't find one that might be similar to that mentioned above on Linux.

Goal is to bypass the CA certificates that expire in 2 years causing an update etc. on more than 100 servers. We want to have SSL encrypted communication for ldap (secldapclntd) and ldapsearch etc. while accepting every kind of certificate/CA.