I am working on an application where we need to create user with passwords within Open LDAP. The problem is i don't have a relevant certificate which i can add to the truststore. I will get this certificate in some time but i can't wait for that.
I know that in Active Directory if i want to do such a thing i must have a 128 bit SSL connection between client and server and i have to use unicodePwd attribute but i am guessing that for open ldap i don't need any ssl connection and the password would be saved in the attribute userPassword so i can add the user with password over port 389. Are my assumptions correct?
Can anybody please point me to setup openldap on windows environment as well as this will just be used for my own tests. Thanks
I am guessing that for open ldap i don't need any ssl connection and the password would be saved in the attribute userPassword so i can add the user with password over port 389. Are my assumptions correct?
Yes, you can do it, but it isn't advisable, as you will be transmitting passwords in plaintext. You should really go the extra yard and set it up for SSL as well, on port 636, or with the STARTTLS option on port 389 if port conservation is an issue.
Can anybody please point me to setup openldap on windows environment as well as this will just be used for my own tests.
It's all documented at http://openldap.org. Windows-specific instructions will depend partly on which Windows port of OpenLDAP you're using. I'm aware of at least three.
Related
We are running WebSphere Application Server v8.5 on AIX 7, which we configured to use ldap security. Everything is working fine, but project went halt for some time and our WAS was down. Now we see that ldap cerficates were expired, hence we are unable to connect to dmgr & admin console. Can somebody help to resolve it?
We know how to configure ldap on WAS, but dont no how to change expired ldap cerficate with new cerficates. (We received new non-expiry certificates from ldap team but dont no how to configure it on WAS).
You need to disable security, restart dmgr, replace certificates and reenable security.
To disable security:
stop/kill the dmgr
run the following from the dmgr\bin folder:
wsadmin -conntype NONE
At the wsadmin prompt, type securityoff and then type exit.
Restart your dmgr.
UPDATE
Do you have Federated or Standalone Ldap configured? You should have in LDAP configuration link to SSL configuration. There you will need to add your new certificate to the Signers store (this is very simplified description as I'm not sure which repository you are using).
I have an application that using Google mysql database anywhere, so I opened my instance for any ip address by whitelisting the subnet in this way :0.0.0.0/0
But I also made it available for ssl connections only with certificates and now I am connecting with that way.
Is that secure enough ? And will it be possible for the hackers to hack my database ?
Thank you
If you are using the 'Only allow SSL connections.' then you should be reasonable safe. I would also recommend using the mysql passwords.
Note that the SSL verification is done by mysqld so the instance needs to spin up to check each connection that passes the IP ACL. If you use whitelist then 0.0.0.0/0 then anyone can spin up your instance. This is not an issue for the monthly plan but it will probably be if you plan to take advantage of the on-demand mode.
If you're opening up the IP ACL to the entire internet, I'd definitely suggest requiring SSL for the incoming connections. You can do that via Developers Console: Go to the database instance details page, click "ACCESS CONTROL", and check the "Only allow SSL connections" check box.
I have an application which can access a LDAP server with non-SSL connection. Now, the LDAP server has been configured to support only SSL.
So, now what are the new components or changes in the existing components which I have to do.
If your application really doesn't support SSL (btw it would've made things easier if you'd told us what program you're trying to use), you can try an SSL wrapper, such as stunnel that can be configured to connect to the SSL-protected LDAP service whenever your program connects to the "entrance" of the tunnel. This way, your program doesn't have to support SSL, but your connection to the LDAP server is still secured by SSL (if the SSL wrapper runs on the same host as your program).
You should only have to change ldap: to ldaps: in the client.
We currently use the auth_ldap with apache for authentication and due to security compliance we have to change the auth for SVN.
The requirement is pretty simple. Users cannot save password unencrypted locally on clients. Ofcourse, the password can be set to encrypt by individual users by editing the ''servers'' but due to size of the firm, we cannot monitor this and be sure that they are doing it.
What are the available authentication mechanisms?
1) SASL + GSSAPI: I have been struggling to implement this for a while. Looks like it no longer works. See here
2) [RULED OUT] SSH Keys: There is a quite some overhead in adding and removing keys. But this is doable. Ruled out as we have some services that access over https.
3) Passwords: There must be some way to be sure that password are stored encrypted on user home dir.
PS: Not interested in deploying the repo on Widows server.
I'd appreciate if someone can add some insight into possible authentication mechanisms per my requirement.
SYSTEMS: SVN 1.6.11 on apache & RHEL6.2, Windows Server 2008 R2 Active Directory.
All,
I'm trying to configure LDAP with Websphere. I'm doing settings in "Security" area when I click on 'Test settings' I'm getting connection exception (SECJ7340E). The Ip/host are all fine but I'm not able to connect to the server. Have you come across such a situation?? Do you know the solution to this?
I'm using WAS 7.0.
LDAP troubleshooting is not hard.
What LDAP server are you connecting too? Does it have any logging? Can you get an error message from the LDAP server admins? (I.e. If they see a bad bind DN, bad password error etc, then you have a much easier troubleshooting job to do).
I am sure you have the right IP. Now what port should you be connecting too? Clear text is 389, LDAP over SSL is 636, but they might have changed those values for some reason.
Does your LDAP server allow clear text connections at all?
Do you have SSL configured correctly? Generally this means that whatever system you are using, its trusted root keystore should include the public key of the CA that signed the server cert used by the LDAP server. (I.e. Versign, Thwate) Possibly it is using a self signed certificate, in which case you should get an export of the CA that minted its public key to import into your keystore.
Webshpere is Java based, so I imagine it is using the the Java Keystore facility. Use the keytool executable in the Java bin directory to add the trusted root to the keystore WebSphere is using. (That detail I leave to you).
What Bind DN are you using? Is it a real correct LDAP DN to connect with?
Use an LDAP browser like ApacheDS and see what it takes to connect to the LDAP server to validate the settings.