On Wed, Jul 04, 2007 at 05:53:24PM +0200, Hallvard B Furuseth wrote: > > The problem is that the rejection happens too late: the client > > password was already sent to the server in clear test. > > If you want to ensure it on the server side, all you can do is not > listen for ldap:// connections since they start out unencrypted. > ldap:// connections have no initial protocol exchange which the server > can reject. Instead listen to ldaps://, "LDAP over SSL (aka TLS)". > > > I guess what I need is a setting in /etc/openldap/ldap.conf similar to > > the sasl minssf property, but for non-sasl binds. Is there such a thing? > > Something that would behave as if -ZZ was always added to the openldap > > command-line tools. > > Yes. > > URI ldaps://fully.qualified.server-hostname/ > TLS_CACERT <file with the CA-certificate which signed the server cert> > TLS_REQCERT demand
The only problem is that I really want start_tls, and not ldaps (which is deprecated, right?).
