directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r1005487 - in /websites/staging/directory/trunk/content: ./ api/user-guide/5-ldap-security.html api/user-guide/5.1-ldaps.html
Date Tue, 24 Jan 2017 13:03:34 GMT
Author: buildbot
Date: Tue Jan 24 13:03:33 2017
New Revision: 1005487

Log:
Staging update by buildbot for directory

Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/api/user-guide/5-ldap-security.html
    websites/staging/directory/trunk/content/api/user-guide/5.1-ldaps.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Jan 24 13:03:33 2017
@@ -1 +1 @@
-1778729
+1780072

Modified: websites/staging/directory/trunk/content/api/user-guide/5-ldap-security.html
==============================================================================
--- websites/staging/directory/trunk/content/api/user-guide/5-ldap-security.html (original)
+++ websites/staging/directory/trunk/content/api/user-guide/5-ldap-security.html Tue Jan 24
13:03:33 2017
@@ -185,10 +185,7 @@
 h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover
> .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink
{ visibility: visible }</style>
 <h1 id="5-ldap-security">5 - LDAP Security<a class="headerlink" href="#5-ldap-security"
title="Permanent link">&para;</a></h1>
 <p><strong>LDAP</strong> databases store critical information that must
be kept secure.  The <strong>Apache LDAP API</strong> can access the data securely
while in flight but can't protect it while at rest -- that's for the database system itself
to do.</p>
-<p>Generally speaking when it comes to securing a system, we are addressing the three
<strong>A</strong>s:
-<em> Authentication
-</em> Authorization
-* Auditing</p>
+<p>Generally speaking when it comes to securing a system, we are addressing the three
<strong>A</strong>s: Authentication, Authorization and Auditing.</p>
 <p>The only aspect we will focus on is the <strong>Authentication</strong>
part, because the <strong>LDAP</strong> protocol does not address the other two,
when it comes to an <strong>API</strong>. We will talk about authorization a little
bit in the last chapter.</p>
 <p>Another aspect of security is encryption:
 - securing the communication between the client and the server

Modified: websites/staging/directory/trunk/content/api/user-guide/5.1-ldaps.html
==============================================================================
--- websites/staging/directory/trunk/content/api/user-guide/5.1-ldaps.html (original)
+++ websites/staging/directory/trunk/content/api/user-guide/5.1-ldaps.html Tue Jan 24 13:03:33
2017
@@ -187,10 +187,10 @@ h2:hover > .headerlink, h3:hover > .head
 <p><strong>LDAP</strong> supports <strong>SSL</strong>, it's
called <strong>LDAPS</strong>, and it uses a dedicated port. As of today, and
since 2000, <strong>LDAPS</strong> is deprecated and <strong>StartTLS</strong>
should be used.</p>
 <p>That being said, many servers accept <strong>LDAPS</strong>, and the
<strong>Apache LDAP API</strong> supports it.</p>
 <h2 id="how-does-it-work">How does it work ?<a class="headerlink" href="#how-does-it-work"
title="Permanent link">&para;</a></h2>
-<p>The <strong>SSL</strong> protocol ensures that data are transmitted
encrypted, and guarantees that the data being received are valid. Nobody can capture those
data and read them, assuming the ciphers being used are strong enough.</p>
-<p>With <strong>SSL</strong>, a dialog between the client and the server
occurs, and when both part agree on the cipher to use, then all subsequent data is encrypted.
This dialog may include a mutual validation. </p>
+<p>The <strong>SSL</strong> protocol ensures that data is transmitted encrypted,
and guarantees that the data received is valid. Noone can capture this data and read it, assuming
the ciphers used are of sufficient strength.</p>
+<p>With <strong>SSL</strong>, a dialog between the client and the server
occurs, and when both agree on the particular cipher to use, then all subsequent data is encrypted.
This dialog may include a mutual validation of their X.509 certificates. </p>
 <h2 id="protocols">Protocols<a class="headerlink" href="#protocols" title="Permanent
link">&para;</a></h2>
-<p>There are many version that can be used, but the idea is to use tha most recent
one, if the server supports it. In any case, as we depend on <strong>Java</strong>,
we are also limited by the supported version on the client side. Here are all the existing
version, and their status :</p>
+<p>There are many version that can be used, but the idea is to use the most recent
one, if the server supports it. In any case, as we depend on <strong>Java</strong>,
we are also limited by the supported version on the client side. Here are all of the existing
versions, and their statuses:</p>
 <table class="table">
 <thead>
 <tr>
@@ -239,11 +239,11 @@ h2:hover > .headerlink, h3:hover > .head
 </tr>
 </tbody>
 </table>
-<p>(<em>Disabled</em> mean it's not active by default, and must be activated
explicitely).</p>
-<p>The default is for Java to pick the one that fits, assuming that it will always
start with the newest version (<strong>TLSv1.2</strong>).</p>
-<p>Still, you can enforce the version if needed.</p>
+<p>(<em>Disabled</em> means it's not active by default, and so must be
activated explicitly).</p>
+<p>The default is Java will choose the best fit, assuming that it always starts with
the newest version (<strong>TLSv1.2</strong>).</p>
+<p>Still, you can enforce the version used -- if needed.</p>
 <h2 id="a-quick-primer">A quick primer<a class="headerlink" href="#a-quick-primer"
title="Permanent link">&para;</a></h2>
-<p>Here is all what you need to get a <strong>LDAPS</strong> connection
established with a server :</p>
+<p>Here is all that is needed to get <strong>LDAPS</strong> connections
established with a server :</p>
 <div class="codehilite"><pre>    <span class="k">try</span> <span
class="p">(</span> <span class="n">LdapConnection</span> <span class="n">connection</span>
<span class="p">=</span> <span class="n">new</span> <span class="n">LdapNetworkConnection</span><span
class="p">(</span> &quot;<span class="n">server</span><span class="o">-</span><span
class="n">name</span>&quot;<span class="p">,</span> 636<span class="p">,</span>
<span class="n">true</span> <span class="p">)</span> <span class="p">)</span>
     <span class="p">{</span>
         <span class="n">connection</span><span class="p">.</span><span
class="n">bind</span><span class="p">(</span> &quot;<span class="n">uid</span><span
class="p">=</span><span class="n">admin</span><span class="p">,</span><span
class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot;<span
class="p">,</span> &quot;<span class="n">secret</span>&quot;
<span class="p">);</span>
@@ -253,8 +253,8 @@ h2:hover > .headerlink, h3:hover > .head
 </pre></div>
 
 
-<p>This is as simple as that ! The <strong>636* port is the default </strong>LDAPS<strong>
port for standard </strong>LDAP<strong> servers, when running as </strong>root<strong>,
and for </strong>ApacheDS<strong> you will have to pick </strong>10636<strong>.
The </strong>true** flag is set to secure the connection. You don't need to close the
connection, it will be done automatically when exiting the try{...} block.</p>
-<p>By default, the selected protocol is <strong>TLS</strong>, and we wont
verify the server's certificate.</p>
+<p>It's as simple as that! The <strong>636</strong> port is the default
<strong>LDAPS</strong> port for standard <strong>LDAP</strong> servers,
when running as <strong>root</strong>, and for <strong>ApacheDS</strong>
you must pick <strong>10636</strong>. The <strong>true</strong> flag
is set to secure the connection. You don't need to close the connection, it will be done automatically
upon exiting the try{...} block.</p>
+<p>By default, the selected protocol is <strong>TLS</strong>, and the server's
certificate is not verified.</p>
 <h2 id="a-more-sophisticated-sample">A more sophisticated sample<a class="headerlink"
href="#a-more-sophisticated-sample" title="Permanent link">&para;</a></h2>
 <p>It's possible to have more control on the <strong>SSL</strong> configuration,
and specifically to provide a specific <strong>TrustManager</strong> :</p>
 <div class="codehilite"><pre>    <span class="k">try</span> <span
class="p">(</span> <span class="n">LdapConnection</span> <span class="n">connection</span>
<span class="p">=</span> <span class="n">new</span> <span class="n">LdapNetworkConnection</span><span
class="p">(</span> <span class="n">Network</span><span class="p">.</span><span
class="n">LOOPBACK_HOSTNAME</span><span class="p">,</span> <span class="n">getLdapServer</span><span
class="p">().</span><span class="n">getPortSSL</span><span class="p">(),</span>

@@ -268,18 +268,18 @@ h2:hover > .headerlink, h3:hover > .head
 </pre></div>
 
 
-<p>Here, we use the <em>NoVerificationTrustManager</em> class, but you
can define your own implementation. The <strong>Fortress</strong> project is using
<a href="https://github.com/apache/directory-fortress-core/blob/master/src/main/java/org/apache/directory/fortress/core/ldap/LdapClientTrustStoreManager.java">this
class</a>.</p>
+<p>Here, we use the <em>NoVerificationTrustManager</em> class, but you
may define your own implementation of it. The <strong>Fortress</strong> project
uses <a href="https://github.com/apache/directory-fortress-core/blob/master/src/main/java/org/apache/directory/fortress/core/ldap/LdapClientTrustStoreManager.java">this
class</a>.</p>
 <h2 id="using-a-configuration">Using a configuration<a class="headerlink" href="#using-a-configuration"
title="Permanent link">&para;</a></h2>
-<p>One step further : you can define a dediated configuration that is passed to the
constructor. Many parameters can be defined :</p>
+<p>One step further : you can define a dedicated configuration that is passed to the
constructor. Many parameters can be defined:</p>
 <ul>
-<li>the enabled cipher suites : a list of ciphers that may be used (like "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
etc)</li>
-<li>the enabled protocols : a list of protocals that may be used ( "SSLv3", "TLS",
"TLSv1", "TLSv1.1", "TLSv1.2")</li>
+<li>the enabled cipher suites: a list of ciphers that may be used (like "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
etc)</li>
+<li>the enabled protocols: a list of protocals that may be used ( "SSLv3", "TLS", "TLSv1",
"TLSv1.1", "TLSv1.2")</li>
 <li>the KeyManager instances</li>
 <li>the SecureRandom instance</li>
-<li>the SSL protocol to use : one of the enabled protocols</li>
+<li>the SSL protocol to use: one of the enabled protocols</li>
 <li>the TrustManager instances</li>
 </ul>
-<p>All those parameters are configured using the <em>LdapConnectionConfig</em>
class :</p>
+<p>All these parameters are configured using the <em>LdapConnectionConfig</em>
class :</p>
 <div class="codehilite"><pre>    <span class="n">LdapConnectionConfig</span>
<span class="n">sslConfig</span> <span class="p">=</span> <span
class="n">new</span> <span class="n">LdapConnectionConfig</span><span
class="p">();</span>
     <span class="n">sslConfig</span><span class="p">.</span><span
class="n">setLdapHost</span><span class="p">(</span> <span class="n">Network</span><span
class="p">.</span><span class="n">LOOPBACK_HOSTNAME</span> <span class="p">);</span>
     <span class="n">sslConfig</span><span class="p">.</span><span
class="n">setUseSsl</span><span class="p">(</span> <span class="n">true</span>
<span class="p">);</span>
@@ -297,12 +297,12 @@ h2:hover > .headerlink, h3:hover > .head
 
 
 <h2 id="ldaps-or-starttls">LDAPS or startTLS ?<a class="headerlink" href="#ldaps-or-starttls"
title="Permanent link">&para;</a></h2>
-<p>The important point to understand with <strong>LDAPS</strong> is that
every request being exchanged between the client and the server will be encrypted, because
the underlying transport is encrypted. That means you can't start communicating with the LDAP
server before the connection is secured.</p>
-<p>It has a few drawbacks :
+<p>The important point to understand with <strong>LDAPS</strong> is that
every request being exchanged between the client and the server is encrypted, because its
underlying transport is encrypted. That means you can't start communicating with the LDAP
server before the connection is secured.</p>
+<p>It has a few drawbacks:
 - first of all, it has an added CPU cost, as everything has to be encrypted and decrypted.
 - second, it requires a dedicated port, thus some specific routing rules (firewall, load
balancers, etc)
-- third, it's a all of nothing choice. If you want to come back to a non-encrypted communication,
you need to use another connection.</p>
-<p>This is the reason why the <strong>startTLS</strong> extended operation
should be used.</p>
+- third, it's a all of nothing choice. If you want to return to a non-encrypted communication,
you must use another connection.</p>
+<p>This is the why the <strong>startTLS</strong> extended operation should
be used instead.</p>
 
 
     <div class="nav">



Mime
View raw message