[jira] [Closed] (DIRSERVER-2126) Possibility to set 'StartTLS enforced' through some parameter

Fri, 26 Feb 2016 07:58:51 -0800 

     [ 
https://issues.apache.org/jira/browse/DIRSERVER-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Stefan Humbold closed DIRSERVER-2126.
-------------------------------------
    Resolution: Not A Problem

It is already working!

Setting the value of attribute ads-confidentialityRequired to TRUE and restart 
the server,
This attribute is present in the entry 
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config

Tested with M21 and JRE8



> Possibility to set 'StartTLS enforced' through some parameter
> -------------------------------------------------------------
>
>                 Key: DIRSERVER-2126
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2126
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 2.0.0-M21
>         Environment: All Apache-DS Versions, all operating systems.
>            Reporter: Stefan Humbold
>            Priority: Critical
>
> Up to now (M21) it ist not possible to set the communication protocol to 
> 'StartTLS enforced'.
> We don't want to offer our ldap-clients an unsecure way to talk with our 
> LDAP-Server. Yes I can disable the default-Port 389 and only enable the 
> SSL-Port 636 .But there is written in the DS documentation: " **LDAPS** is 
> considered as deprecated. You should always favor startTLS instead. "
> And I also need the port 389 (with StartTLS) for replication, so i can not 
> disable it.
> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But the 
> users can still connect without TLS.
> I found this interesting paper:
> http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf
> --> see Caption caption 3.5:  
> "The correct and standard approach is to start LDAP without encryption and 
> then negotiate the TLS security layer. If necessary, the server can be 
> configured to refuse all operations other than 'Start TLS' until TLS is in 
> place"
> In OpenLDAP you can enforce TLS through some
> parameter, and I think that would be a good addition to ApacheDS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to