> As far as I underrstand, the vanilla installation of the freeipa > server allows clients to communicate with the LDAP server with or > without SSL. We need to configure both, clients to always use > SSL, and the server to reject non-SSL communication attempts. > Where can I find the relevant documentation about setting this up, > please?
You can set this option: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/setting_a_minimum_strength_factor But it breaks one or two things that may or may not be essential in your environment, so you'll want to test carefully. It also cannot prevent a misconfigured client from blurting out a password in plaintext when performing a simple bind over port 389. Blame the flawed design of the LDAP protocol for that. But at least you can prevent such a bind from succeeding with: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring-special-binds#requiring-secure-binds FreeIPA servers/clients need to be able to communicate IPA servers securely without using TLS; GSSAPI is used for Kerberos-based integrity and confidentiality over port 389. The CA component of FreeIPA is optional, after all. :) -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure