On Mon, 2009-12-14 at 15:01 +0100, Kenneth Holter wrote:
Hi all.
We'd like to make sure that the LDAP data on our network is encrypted,
at least the data that contains sensitive information. We've set up
TLS between on these communication links:
* LDAP client <-> LDAP server (using StartTLS)
* LDAP master <-> LDAP slave
* Web browser <-> Admin server web console (i.e. https)
We have a pretty default installation of the directory server (which
btw is Red Hat Directory Server v8.1.0). To my best knowledge, these
links above should cover all relevant trafikk on the network, since
the directory server, admins server and the console are all located on
the same physical server. Does anyone agree or disagree?
Btw, if anyone knows of any nice diagrams that shows the different
data links (i.e information flow) between the directory server
components (such as admins server, console, main console, directory
server, and so forth) please do post a link to this.
<snip>
That's what we've done although we also use LDAPS in some cases. We
have not yet played with disabling unencrypted traffic. If someone does
not request StartTLS or LDAPS, we do respond with unencrypted traffic.
We've also ensured that backups of the database are both sent and stored
encrypted - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society