Stefan Humbold created DIRSERVER-2126:
-----------------------------------------
Summary: Possibility to set 'StartTLS enforced' through some
parameter
Key: DIRSERVER-2126
URL: https://issues.apache.org/jira/browse/DIRSERVER-2126
Project: Directory ApacheDS
Issue Type: Improvement
Components: core
Affects Versions: 2.0.0-M21
Environment: All Apache-DS Versions, all operating systems.
Reporter: Stefan Humbold
Priority: Critical
Up to now (M21) it ist not possible to set the communication protocol to
'StartTLS enforced'.
We don't want to offer our ldap-clients an unsecure way to talk with our
LDAP-Server. Yes I can disable the default-Port 389 and only enable the
SSL-Port 636 .But there is written in the DS documentation: " **LDAPS** is
considered as deprecated. You should always favor startTLS instead. "
And I also need the port 389 (with StartTLS) for replication, so i can not
disable it.
At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But the users
can still connect without TLS.
I found this interesting paper:
http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf
--> see Caption caption 3.5:
"The correct and standard approach is to start LDAP without encryption and then
negotiate the TLS security layer. If necessary, the server can be configured to
refuse all operations other than 'Start TLS' until TLS is in place"
In OpenLDAP you can enforce TLS through some
parameter, and I think that would be a good addition to ApacheDS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
