On 26/02/12 12:15, Dieter Klünter wrote: > Am Sun, 26 Feb 2012 11:49:14 +0100 > schrieb Daniel Pocock <[email protected]>: > >> >> >> >> Is there some way to ensure that a client who connects on port 389 can >> do nothing without StartTLS? >> >> Or is it necessary to just disable port 389 and only listen for >> ldaps:/// ? > > read on TLS OPTIONS in > man ldap.conf(5) and man slapd.conf(5) >
Thanks for the fast reply I'm not keen to rely on ldap.conf (client side config) - I want to enforce a preference for TLS from the server side, to avoid a situation where some application might be configured non-TLS by mistake. I've looked at the TLS options and I have TLS running fine already. I notice the TLSCipherSuite option sets the cipher level within TLS, but it doesn't appear to guarantee that TLS is used. To make an analogy, in postfix, I require `plain' authentication: but the client is not allowed to try to authenticate until it has done StartTLS, because I never want a client to try sending a password over a channel that is not encrypted. For the moment, I have just disabled port 389
