>>Is there a way to have OpenLDAP listening on port 389 (standard ldap) >>but only accept tls encrypted session? > > You can require TLS (SSL) via the slapd.conf(5) security directive. > The client can then either use ldap:// (to whatever port(s) you have > configured slapd(8) to listen on) and initiate TLS via > the Start TLS operation or use ldaps:// (to whatever port(s) > you have configured slapd(8) on) and initiate TLS upon > connecting. If you want to restrict clients to using just the > former or the latter, eliminate one or the other listener. > >>I've searched for quite a while and it seems that the only option is >>to disable listening on port 389 alltogether and only listen on port >>636.
> While ldap:// uses 389 by default and ldaps:// uses 636 by default, > one can actually use ldap:// or ldaps:// on any port. So the port is independent of the connection type? The clear text authentication and as well as secured connection can be made on both the ports (389,636) ? Then what for the port is being used? I assumed 389 is clear text and 636 is encrypted(ssl/tls) one. Can you please make sure this.. >>But this isn't good for my purpose, as some broken clients only work >>over TLS on port 389 > > ldap:// on port 389 and use of Start TLS operation to initiate > TLS (SSL) is the standard way of securing LDAP with TLS. > > Kurt
