A quick search will provide plenty of articles about the subject.
Thanks, I had actually thought of using a search engine (as somebody
put it, part of the fun with configuring OpenLDAP is that you
definitely have to).
What I cannot find (yet) is whether there is a way to require StartTLS
only
Thank you.
Date: Wed, 6 Oct 2010 22:27:08 +0100
From: miguelmeda...@sapo.pt
To: mbaud...@argeo.org
CC: centos@centos.org
Subject: Re: [CentOS] LDAP authentication on a remote server (via ldaps://)
[SOLVED]
Are you aware that SSL on port 636 is now considered deprecated in favor
The reason why I (think I) need both is that many third party apps on
the server (PHP applications typically) do not easily manage StartTLS.
Meanwhile, having two different ports make it easier to manage via iptables.
You can also use StartTLS over the network and LDAPI (connection over
You can also use StartTLS over the network and LDAPI (connection over Unix
sockets, which are inherently secure) for apps running on the server. I use
it, both with OpenLDAP and 389 Directory Server (a.k.a. Fedora DS, Red Hat
DS).
Unfortunately, I have a whole LAN whose user/group/auth
On Thu, 7 Oct 2010, Mathieu Baudier wrote:
You can also use StartTLS over the network and LDAPI (connection
over Unix sockets, which are inherently secure) for apps running on
the server. I use it, both with OpenLDAP and 389 Directory Server
(a.k.a. Fedora DS, Red Hat DS).
Unfortunately,
One possible solution is to have the main LDAP server addressable only
via STARTTLS and a non-SSL, read-only slave on a different host that's
visible only to your LAN.
Very interesting.
It would also address some concerns I had with all these third-party
LDAP plugins having (potential) write
Well, that's simply *not* true... says the guy who, 20-30 years ago, had
to read IBM mainframe manuals
I can attest to IBM manuals of that era. :-)
Few years back while working for a bank I came across one of the
original manuals for the IBM 4702 Branch Controller. And I thought
early
Hello,
I have a central repository of users/groups based on OpenLDAP which is
working on a remote LAN (servers share users credentials and mount
their home directories via NFS). They use non-encrypted ldap
restricted to the local network.
Now, I have a few servers in our local office and I would
On Wed, Oct 06, 2010 at 10:24:44AM +0200, Mathieu Baudier wrote:
Hello,
Now, I have a few servers in our local office and I would like them to
authenticate from the remote LDAP server using encryption via
ldaps://.
(at this stage, without using client-side certificate)
I have run a
Did you, on the server, change the new, undocumented, /etc/sysconfig/ldap
file's entry for SLAPD_LDAPS and restart the ldap service on the server?
This settings was indeed set to no.
What is funny though is that I actually can connect to the ldaps port
without it (since ldapsearch -x is
On Wed, Oct 06, 2010 at 03:32:03PM +0200, Mathieu Baudier wrote:
Did you, on the server, change the new, undocumented, /etc/sysconfig/ldap
file's entry for SLAPD_LDAPS and restart the ldap service on the server?
This settings was indeed set to no.
I changed the settings to yes and
On Wed, 6 Oct 2010, Mathieu Baudier wrote:
Now, I have a few servers in our local office and I would like them to
authenticate from the remote LDAP server using encryption via
ldaps://.
(at this stage, without using client-side certificate)
I have run a similar command as I did on the
Here are the changes I'd review:
1. After installing the CA cert, did you create a hash link? E.g.,
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
2. Make sure you know the difference between /etc/ldap.conf and
/etc/openldap/ldap.conf. The former is used by nss_ldap, the
Are you aware that SSL on port 636 is now considered deprecated in favor
of START_TLS on port 389?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
On Wed, Oct 06, 2010 at 06:35:14PM +0200, Mathieu Baudier wrote:
IMHO, the comments in /etc/ldap.conf could be a bit more explicit on
the 'on' value:
IMNSHO most docmentation on LDAP is laughable, and perhaps one of the
main reasons Active Directory has become so much more popular. Say
Scott Robbins wrote:
On Wed, Oct 06, 2010 at 06:35:14PM +0200, Mathieu Baudier wrote:
IMHO, the comments in /etc/ldap.conf could be a bit more explicit on
the 'on' value:
IMNSHO most docmentation on LDAP is laughable, and perhaps one of the
main reasons Active Directory has become so much
Are you aware that SSL on port 636 is now considered deprecated in favor of
START_TLS on port 389?
No, I'm not (I actually thought that it was the other way round)
I found it practical to have a port (389 or equivalent) that I could
authorize via iptables only on the local network., and
Are you aware that SSL on port 636 is now considered deprecated in favor of
START_TLS on port 389?
No, I'm not (I actually thought that it was the other way round)
(...)
What are the pro and cons of both approaches?
Comments more than welcome
You can, as an example, consult the
On Wed, 2010-10-06 at 09:49 -0400, Scott Robbins wrote:
On Wed, Oct 06, 2010 at 03:32:03PM +0200, Mathieu Baudier wrote:
Did you, on the server, change the new, undocumented, /etc/sysconfig/ldap
file's entry for SLAPD_LDAPS and restart the ldap service on the server?
This settings was
On Wed, 2010-10-06 at 08:32 -0700, Paul Heinlein wrote:
On Wed, 6 Oct 2010, Mathieu Baudier wrote:
Now, I have a few servers in our local office and I would like them to
authenticate from the remote LDAP server using encryption via
ldaps://.
(at this stage, without using client-side
20 matches
Mail list logo