Kenneth Holter
2008-May-13 13:22 UTC
[Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution
Hi. We''re planning on deploying Red Hat Directory Server 8.0, and could need some advice on security. The DS supports both TLS and SASL. TLS can be used for both authentication and encryption, and should therefore cover our security needs. SASL is quite new to me, and as of now I don''t see the benefit of using it. Which security or functionality features does SASL provide that TLS doesn''t? I know that SASL enables integration with Kerberos, but we''re most likely not going for a Kerberos based solution. Furthermore, what are the default security features of RHDS 8.0? Is it using SASL by default (is it possible to deactivate it)? Regards, kenneho
David Boreham
2008-May-13 13:31 UTC
Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution
Kenneth Holter wrote:> The DS supports both TLS and SASL. TLS can be used for both > authentication and encryption, and should therefore cover our security > needs. > > SASL is quite new to me, and as of now I don''t see the benefit of > using it. Which security or functionality features does SASL provide > that TLS doesn''t? I know that SASL enables integration with Kerberos, > but we''re most likely not going for a Kerberos based solution. >SASL is primarily needed to support Kerberos clients. Use TLS unless you already know that you want SASL for some reason.
Kenneth Holter
2008-May-13 14:27 UTC
Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution
Thank you for the quick reply. We''re going for the TLS based solution. However, I''d like a better understanding of SASL, so let me post these questions: - What can SASL be used for besides Kerberos integration? The RHDS documentation says that TLS can be used as an authentication mechanism, but doesn''t provide much details. - How can I check if SASL is enabled on my LDAP server (RHDS)? On 5/13/08, David Boreham <david_list@boreham.org> wrote:> Kenneth Holter wrote: > > > The DS supports both TLS and SASL. TLS can be used for both > > authentication and encryption, and should therefore cover our security > > needs. > > SASL is quite new to me, and as of now I don''t see the benefit of using > > it. Which security or functionality features does SASL provide that TLS > > doesn''t? I know that SASL enables integration with Kerberos, but we''re most > > likely not going for a Kerberos based solution. > > > > > SASL is primarily needed to support Kerberos clients. > Use TLS unless you already know that you want SASL for some reason. > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Rich Megginson
2008-May-13 14:34 UTC
Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution
Kenneth Holter wrote:> Thank you for the quick reply. > > We''re going for the TLS based solution. However, I''d like a better > understanding of SASL, so let me post these questions: > > * What can SASL be used for besides Kerberos integration? >The SASL mechanism Digest-MD5 is an LDAP standard authentication mechanism.> > * The RHDS documentation says that TLS can be used as an > authentication mechanism, but doesn''t provide much details. >You can use an X.509 user certificate (cert) to authenticate to the server. http://directory.fedoraproject.org/wiki/Howto:CertMapping> > * > > > * How can I check if SASL is enabled on my LDAP server (RHDS)? >It is enabled by default. ldapsearch -x -s base -b "" "objectclass=*" supportedsaslmechanisms> > On 5/13/08, *David Boreham* <david_list@boreham.org > <mailto:david_list@boreham.org>> wrote: > > Kenneth Holter wrote: > > The DS supports both TLS and SASL. TLS can be used for both > authentication and encryption, and should therefore cover our > security needs. > SASL is quite new to me, and as of now I don''t see the > benefit of using it. Which security or functionality features > does SASL provide that TLS doesn''t? I know that SASL enables > integration with Kerberos, but we''re most likely not going for > a Kerberos based solution. > > > SASL is primarily needed to support Kerberos clients. > Use TLS unless you already know that you want SASL for some reason. > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
David Boreham
2008-May-13 15:01 UTC
Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution
Kenneth Holter wrote:> We''re going for the TLS based solution. However, I''d like a better > understanding of SASL, so let me post these questions: > > * What can SASL be used for besides Kerberos integration? >SASL is a pluggable authentication framework, so it is a bit abstract when you read about it. In theory you can use SASL to support any authentication mechanism you can think of (smart cards, fingerprint scanners, etc etc). In practice, in the context of LDAP it is typically used for Kerberos or as Rich pointed out one of the challenge-response authentication mechanisms that prevent plaintext password exposure, such as Digest-MD5. To be honest I''m not sure how much of either of these is widely deployed. I only ever see SSL/TLS in the wild, outside of hard core Kerberos shops. SASL was originally developed to allow pluggable authentication to be added to protocols that had either no authentication at all, or very weak support for authentication (IMAP and SMTP for example). In the context of LDAP its value is less clear because LDAP already had well developed support for SSL and cert-based auth, that for the most part removes the need for SASL. In addition, since the LDAP server is generally itself the authoritative authentication service, the pluggable SASL server mechanisms really don''t make sense most of the time (because the LDAP server doesn''t want or need to ask any other entity to take its authentication decisions for it).> > * The RHDS documentation says that TLS can be used as an > authentication mechanism, but doesn''t provide much details. >There are two different ways to use TLS to facilitate authentication : 1) Use plain text passwords but with TLS protecting the traffic from eavesdropping, and providing a way for clients to trust servers. This is what is used 99% of the time. 2) Cert-based authentication (similar to SSH keys if you''ve used that) where the DS authenticates the client based on crypto, derived from the client being in possession of a suitable certificate. This is used mostly in high security environments (with hardware tokens for example).> > * How can I check if SASL is enabled on my LDAP server (RHDS)? >There''s a way to get the list of supported SASL mechanisms from the rootDSE. Another way is to attempt a SASL BIND operation with a client and see if it succeeds. I can dig out the details on these later if you can''t track them down with Google, if I have some spare time... From memory, the server always has the EXTERNAL (SSL) and digest mechanisms enabled. Kerberos will be enabled if the machine is suitably configured (has Kerberos installed, configured correctly, rubber chicken held above the console while chanting prayers to the security gods, etc).
Hi. We are new to the Fedora-DS. I wonder how people setup their nightly backup jobs on Fedora-DS. Is there any backup script available? Or is that something that we could setup in the admin console? Thanks in advance.
Rich Megginson
2008-May-13 15:29 UTC
Re: [Fedora-directory-users] Fedora-DS Nightly Backup
Lin Young wrote:> Hi. We are new to the Fedora-DS. I wonder how people setup their > nightly backup jobs on Fedora-DS. > Is there any backup script available? > Or is that something that we could setup in the admin console?You probably want to use the command line utilities - db2bak, db2ldif - use db2bak for short term, db2ldif for long term> > Thanks in advance. > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
You can use something as simple as:
LOGFILE=/var/log/DSBackup.log
/opt/fedora-ds/slapd-infra1/db2ldif -n netscaperoot > $LOGFILE 2>&1
/opt/fedora-ds/slapd-infra1/db2ldif -n userRoot >> $LOGFILE 2>&1
/opt/fedora-ds/slapd-infra1/db2bak >> $LOGFILE 2>&1
Para
"General discussion list for the
Fedora Directory server
Rich Megginson project."
<rmeggins@redhat.com>
<fedora-directory-users@redhat.c
Enviado por: om>
fedora-directory-users-b cc
ounces@redhat.com
Asunto
13/05/2008 11:29 a.m. Re: [Fedora-directory-users]
Fedora-DS Nightly Backup
Clasificación
Uso Interno
Por favor, responda a
"General discussion list
for the Fedora Directory
server project."
<fedora-directory-users@
redhat.com>
Lin Young wrote:> Hi. We are new to the Fedora-DS. I wonder how people setup their
> nightly backup jobs on Fedora-DS.
> Is there any backup script available?
> Or is that something that we could setup in the admin console?
You probably want to use the command line utilities - db2bak, db2ldif -
use db2bak for short term, db2ldif for long term>
> Thanks in advance.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
(See attached file: smime.p7s)--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
=======================================================================================AVISO
LEGAL: Esta información es privada y confidencial y está dirigida
únicamente a su destinatario. Si usted no es el destinatario original de
este mensaje y por este medio pudo acceder a dicha información por favor
elimine el mensaje. La distribución o copia de este mensaje está
estrictamente prohibida. Esta comunicación es sólo para propósitos de
información y no debe ser considerada como propuesta, aceptación ni como
una declaración de voluntad oficial de NUCLEO S.A. La transmisión de
e-mails no garantiza que el correo electrónico sea seguro o libre de error.
Por consiguiente, no manifestamos que esta información sea completa o
precisa. Toda información está sujeta a alterarse sin previo aviso.
This information is private and confidential and intended for the
recipient only. If you are not the intended recipient of this message you
are hereby notified that any review, dissemination, distribution or
copying of this message is strictly prohibited. This communication is for
information purposes only and shall not be regarded neither as a proposal,
acceptance nor as a statement of will or official statement from NUCLEO
S.A. . Email transmission cannot be guaranteed to be secure or error-free.
Therefore, we do not represent that this information is complete or
accurate and it should not be relied upon as such. All information is
subject to change without notice.
Thank you Rich and Ivan for your replies. I am running my nightly backup using the db2ldif command and it is working!!! Thanks again! Ivan Ferreira wrote:> You can use something as simple as: > > LOGFILE=/var/log/DSBackup.log > /opt/fedora-ds/slapd-infra1/db2ldif -n netscaperoot > $LOGFILE 2>&1 > /opt/fedora-ds/slapd-infra1/db2ldif -n userRoot >> $LOGFILE 2>&1 > /opt/fedora-ds/slapd-infra1/db2bak >> $LOGFILE 2>&1 > > > > > > > Para > "General discussion list for the > Fedora Directory server > Rich Megginson project." > <rmeggins@redhat.com> <fedora-directory-users@redhat.c > Enviado por: om> > fedora-directory-users-b cc > ounces@redhat.com > Asunto > 13/05/2008 11:29 a.m. Re: [Fedora-directory-users] > Fedora-DS Nightly Backup > Clasificación > Uso Interno > Por favor, responda a > "General discussion list > for the Fedora Directory > server project." > <fedora-directory-users@ > redhat.com> > > > > > > > Lin Young wrote: > >> Hi. We are new to the Fedora-DS. I wonder how people setup their >> nightly backup jobs on Fedora-DS. >> Is there any backup script available? >> Or is that something that we could setup in the admin console? >> > You probably want to use the command line utilities - db2bak, db2ldif - > use db2bak for short term, db2ldif for long term > >> Thanks in advance. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > (See attached file: smime.p7s)-- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > =======================================================================================> AVISO LEGAL: Esta información es privada y confidencial y está dirigida > únicamente a su destinatario. Si usted no es el destinatario original de > este mensaje y por este medio pudo acceder a dicha información por favor > elimine el mensaje. La distribución o copia de este mensaje está > estrictamente prohibida. Esta comunicación es sólo para propósitos de > información y no debe ser considerada como propuesta, aceptación ni como > una declaración de voluntad oficial de NUCLEO S.A. La transmisión de > e-mails no garantiza que el correo electrónico sea seguro o libre de error. > Por consiguiente, no manifestamos que esta información sea completa o > precisa. Toda información está sujeta a alterarse sin previo aviso. > > This information is private and confidential and intended for the > recipient only. If you are not the intended recipient of this message you > are hereby notified that any review, dissemination, distribution or > copying of this message is strictly prohibited. This communication is for > information purposes only and shall not be regarded neither as a proposal, > acceptance nor as a statement of will or official statement from NUCLEO > S.A. . Email transmission cannot be guaranteed to be secure or error-free. > Therefore, we do not represent that this information is complete or > accurate and it should not be relied upon as such. All information is > subject to change without notice. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >