Am Sun, 26 Feb 2012 12:39:26 +0100 schrieb Daniel Pocock <[email protected]>:
> > > On 26/02/12 12:15, Dieter Klünter wrote: > > Am Sun, 26 Feb 2012 11:49:14 +0100 > > schrieb Daniel Pocock <[email protected]>: > > > >> > >> > >> > >> Is there some way to ensure that a client who connects on port 389 > >> can do nothing without StartTLS? > >> > >> Or is it necessary to just disable port 389 and only listen for > >> ldaps:/// ? > > > > read on TLS OPTIONS in > > man ldap.conf(5) and man slapd.conf(5) > > > > Thanks for the fast reply > > I'm not keen to rely on ldap.conf (client side config) - I want to > enforce a preference for TLS from the server side, to avoid a > situation where some application might be configured non-TLS by > mistake. > > I've looked at the TLS options and I have TLS running fine already. I > notice the TLSCipherSuite option sets the cipher level within TLS, but > it doesn't appear to guarantee that TLS is used. >From man slapd.conf TLSVerifyClient <level> demand | hard | true These keywords are all equivalent, for compatibility reasons. The client certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. > > To make an analogy, in postfix, I require `plain' authentication: but > the client is not allowed to try to authenticate until it has done > StartTLS, because I never want a client to try sending a password > over a channel that is not encrypted. Postfix is a LDAP client, thus all client configurations apply according to man ldap.conf(5). -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
