Dieter Klünter wrote:
Am Sun, 26 Feb 2012 12:39:26 +0100
schrieb Daniel Pocock<[email protected]>:
On 26/02/12 12:15, Dieter Klünter wrote:
Am Sun, 26 Feb 2012 11:49:14 +0100
schrieb Daniel Pocock<[email protected]>:
Is there some way to ensure that a client who connects on port 389
can do nothing without StartTLS?
Or is it necessary to just disable port 389 and only listen for
ldaps:/// ?
read on TLS OPTIONS in
man ldap.conf(5) and man slapd.conf(5)
Thanks for the fast reply
I'm not keen to rely on ldap.conf (client side config) - I want to
enforce a preference for TLS from the server side, to avoid a
situation where some application might be configured non-TLS by
mistake.
I've looked at the TLS options and I have TLS running fine already. I
notice the TLSCipherSuite option sets the cipher level within TLS, but
it doesn't appear to guarantee that TLS is used.
From man slapd.conf
TLSVerifyClient<level>
demand | hard | true
These keywords are all equivalent, for
compatibility reasons. The client certificate is
requested. If no certificate is provided, or a bad
certificate is provided, the session is immediately terminated.
To make an analogy, in postfix, I require `plain' authentication: but
the client is not allowed to try to authenticate until it has done
StartTLS, because I never want a client to try sending a password
over a channel that is not encrypted.
Postfix is a LDAP client, thus all client configurations apply
according to man ldap.conf(5).
Dieter, no.
Josh Miller's post was correct.
http://www.openldap.org/lists/openldap-technical/201202/msg00414.html
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
