Andreas Hasenack writes: > I'm trying to avoid mistakes and configure a server and/or client to > force the use of start tls. So, if someone binds to the server and > accidentally forgets to configure start_tls on the client, the > connection is rejected. > > The problem is that the rejection happens too late: the client > password was already sent to the server in clear test.
If you want to ensure it on the server side, all you can do is not listen for ldap:// connections since they start out unencrypted. ldap:// connections have no initial protocol exchange which the server can reject. Instead listen to ldaps://, "LDAP over SSL (aka TLS)". > I guess what I need is a setting in /etc/openldap/ldap.conf similar to > the sasl minssf property, but for non-sasl binds. Is there such a thing? > Something that would behave as if -ZZ was always added to the openldap > command-line tools. Yes. URI ldaps://fully.qualified.server-hostname/ TLS_CACERT <file with the CA-certificate which signed the server cert> TLS_REQCERT demand -- Regards, Hallvard
