----- Original Message ----- > From: "Chuck Lever" <[email protected]> > To: "Wiebe Cazemier" <[email protected]> > Cc: [email protected] > Sent: Friday, 21 December, 2012 4:39:21 PM > Subject: Re: Forcing TLS encryption > > ... > > I added an olcSecurity attribute to the database directives for the > parts of the server's DIT where I wish to require TLS. To start > with I set the value "tls=1". > > See also: > > http://itsecureadmin.com/tag/openldap/ > > -- > Chuck Lever > chuck[dot]lever[at]oracle[dot]com >
I got it to work (connection won't be allowed without TLS), but I can still capture the password with tcpdump. To elaborate: I successfully set tls=1 with: dn: cn=config changetype: modify add: olcSecurity olcSecurity: tls=1 When I do an ldapsearch now, it says TLS is required: $ ldapsearch ldapsearch -Hldap://myhost:389 -D"uid=user,ou=people,dc=domain,dc=com" -W Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required However, when I capture the traffic with tcpdump, I can still see the password being sent. With FTP require TLS, the server rejects the connection after the login command, so you don't get the chance to send your password. Is there a way to do that here too?
