I'm trying to implement LDAP to replace NIS+ and I've run into an
issue. I have my LDAP server configured to run on port 389 and port
636 (running Sun Directory Server 5.2). I configured a Solaris 8
machine to authenticate against the LDAP server, which seems to work
fine (passwords are sent in crypt format, not ideal, but at least not
plain-text). When I log into the client as an LDAP user and try to
change the password using /usr/bin/passwd, I can see the plain-text
password (both the original and new passwords) being sent over the
line. How can I force any LDAP traffic to use SSL/TLS?

>From snoop on LDAP server:

LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 6: Modify Request]
LDAP: [Object Name]
LDAP: uid=testuser,ou=People,dc=as3,dc
LDAP: =com
LDAP: *[Modification]
LDAP: *[]
LDAP: [Operation]
LDAP: Replace
LDAP: *[Modification]
LDAP: [Attribute]
LDAP: userpassword
LDAP: *[Set]
LDAP: [OctetString]
LDAP: abc1234
LDAP:

mchesler@chesent.com wrote:
> I'm trying to implement LDAP to replace NIS+ and I've run into an
> issue. I have my LDAP server configured to run on port 389 and port
> 636 (running Sun Directory Server 5.2). I configured a Solaris 8
> machine to authenticate against the LDAP server, which seems to work
> fine (passwords are sent in crypt format, not ideal, but at least not
> plain-text). When I log into the client as an LDAP user and try to
> change the password using /usr/bin/passwd, I can see the plain-text
> password (both the original and new passwords) being sent over the
> line. How can I force any LDAP traffic to use SSL/TLS?
>
>>From snoop on LDAP server:
>
> LDAP: ----- Lightweight Directory Access Protocol Header -----
> LDAP: *[LDAPMessage]
> LDAP: [Message ID]
> LDAP: Operation *[APPL 6: Modify Request]
> LDAP: [Object Name]
> LDAP: uid=testuser,ou=People,dc=as3,dc
> LDAP: =com
> LDAP: *[Modification]
> LDAP: *[]
> LDAP: [Operation]
> LDAP: Replace
> LDAP: *[Modification]
> LDAP: [Attribute]
> LDAP: userpassword
> LDAP: *[Set]
> LDAP: [OctetString]
> LDAP: abc1234
> LDAP:
>

In the DUA config profile for your Solaris client you should set
the authentication to tls:simple instead of simple IIRC.

HTH, Erik.

mchesler@chesent.com wrote:
> I'm trying to implement LDAP to replace NIS+ and I've run into an
> issue. I have my LDAP server configured to run on port 389 and port
> 636 (running Sun Directory Server 5.2). I configured a Solaris 8
> machine to authenticate against the LDAP server, which seems to work
> fine (passwords are sent in crypt format, not ideal, but at least not
> plain-text). When I log into the client as an LDAP user and try to
> change the password using /usr/bin/passwd, I can see the plain-text
> password (both the original and new passwords) being sent over the
> line. How can I force any LDAP traffic to use SSL/TLS?
>
> >From snoop on LDAP server:
>
> LDAP: ----- Lightweight Directory Access Protocol Header -----
> LDAP: *[LDAPMessage]
> LDAP: [Message ID]
> LDAP: Operation *[APPL 6: Modify Request]
> LDAP: [Object Name]
> LDAP: uid=testuser,ou=People,dc=as3,dc
> LDAP: =com
> LDAP: *[Modification]
> LDAP: *[]
> LDAP: [Operation]
> LDAP: Replace
> LDAP: *[Modification]
> LDAP: [Attribute]
> LDAP: userpassword
> LDAP: *[Set]
> LDAP: [OctetString]
> LDAP: abc1234
> LDAP:


You need to install patch 108993-18 or later to get the PHASE2 ldap
client.
which is able to run SSL authentication.
This is the Default ldapclient on Solaris 9.

//Lars