Am Mon, 24 Dec 2012 10:14:39 +0100 (CET) schrieb Wiebe Cazemier <[email protected]>:
> ----- Original Message ----- > > From: "Chuck Lever" <[email protected]> > > To: "Wiebe Cazemier" <[email protected]> > > Cc: [email protected] > > Sent: Friday, 21 December, 2012 4:39:21 PM > > Subject: Re: Forcing TLS encryption > > > > ... > > > > I added an olcSecurity attribute to the database directives for the > > parts of the server's DIT where I wish to require TLS. To start > > with I set the value "tls=1". > > > > See also: > > > > http://itsecureadmin.com/tag/openldap/ > > > > -- > > Chuck Lever > > chuck[dot]lever[at]oracle[dot]com > > > > I got it to work (connection won't be allowed without TLS), but I can > still capture the password with tcpdump. To elaborate: > > I successfully set tls=1 with: > > > dn: cn=config > changetype: modify > add: olcSecurity > olcSecurity: tls=1 > > > When I do an ldapsearch now, it says TLS is required: > > > $ ldapsearch ldapsearch -Hldap://myhost:389 > -D"uid=user,ou=people,dc=domain,dc=com" -W Enter LDAP Password: > ldap_bind: Confidentiality required (13) > additional info: TLS confidentiality required In order to initiate Transport Layer Security you have to call the extended operation ldapSTARTTLS. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
