[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    [ldap] Re: ldap server query
From:       Michael_Ströder <michael () stroeder ! com>
Date:       2006-01-23 8:52:12
Message-ID: 43D4993C.8050607 () stroeder ! com
[Download RAW message or body]

Mike Jackson wrote:
> chris harward wrote:
> 
> > Is it possible, from a client application, to ask an LDAP server whether
> > it will accept an SSL or SASL connection without just trying each and see
> > what it accepts. If so, how would I do this?
> 
> http://www.netauth.com/~jacksonm/ldap/get_capabilities.pl
> 
> That tool will allow you to do an over-the-wire query of nearly all of a
> server's special capabilities. Start TLS is included,

Take note of this text from RFC 2830:

6.  Security Considerations
[..]
   The level of security provided though the use of TLS depends directly
   on both the quality of the TLS implementation used and the style of
   usage of that implementation. Additionally, an active-intermediary
   attacker can remove the Start TLS extended operation from the
   supportedExtension attribute of the root DSE. Therefore, both parties
   SHOULD independently ascertain and consent to the security level
   achieved once TLS is established and before beginning use of the TLS
   connection. For example, the security level of the TLS connection
   might have been negotiated down to plaintext.
[..]

> but not SSL or
> SASL, as a server does not advertise those capabilities explicitly.

Depending on the server implementation / configuration SASL is
advertised in attribute supportedSASLMechanisms in the server's rootDSE.

Security considerations above for StartTLS apply as well for usage of
SASL mechs.

=> Probe for security features if you're local security policy relys on
them.

Ciao, Michael.

-- 
Michael Ströder
E-Mail: michael@stroeder.com
http://www.stroeder.com

---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.


[prev in list] [next in list] [prev in thread] [next in thread]