Tunnelling LDAP using stunnel

Lightweight Directory Access Protocol – a protocol used to access information stored in an information directory (also known as an LDAP directory)

LDAP is particularly useful for storing information that you wish to read from many locations, but update infrequently. For example, your company could store all of the following very efficiently in an LDAP directory:

* The company employee phone book and organizational chart
* External customer contact information
* Infrastructure services information, including NIS maps, email aliases, and so on
* Configuration information for distributed software packages

Most of the companies are already using the LDAP Protocols to manage their corporate directory services. But it was implemented earlier or without secured way. That is, the data are transferred in plain text format. So, Anyone can view the content of the querys and other things..

Although, LDAP supports SSL. They are not ready to touch the already working LDAP Server. So, a Second level service(Tunnelling) is introduced to provide the security to the LDAP Server.

Every request is sent through the tunnel and the tunnelling software acts as proxy to the LDAP server.

Request :

Client ——> Tunnelling Proxy(SSL Enabled Connection)

Tunnelling Proxy ——————> Server (SSL Not Enbabled Connection)

Response :

Server ————–> Tunnelling Proxy (SSL Not Enabled Connection)

Tunnelling Proxy ————-> Client (SSL Enable Connection)

Stunnel is the tool used to tunnelling the data from the server to client and acts as the proxy to the LDAP..

Its easy to stunnel to make to run, just edit the /etc/stunnel/stunnel.conf file

cert = /etc/stunnel/stunnel.pem
sslVersion = SSLv3
pid = /var/run/stunnel/stunnel.pid
foreground=yes
CAfile = /etc/stunnel/ca.cer
debug = 7
client = no
; service-level configuration
[ldaps]
accept = 636
connect = ldapserver:389

On the LDAP Client, you need to configure it with corresponding to the stunnel and LDAP Server Configuration.

If you find any errors in certificates, just make it to ignore the CA and Server certificates by adding the following line to /etc/openldap/ldap.conf

TLS_REQCERT never

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s