[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap.conf TLS

To: David Wright <ichbin@shadlen.org>
Subject: Re: ldap.conf TLS
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 16 Jun 2002 21:46:26 -0700
Cc: Howard Chu <hyc@highlandsun.com>, openldap-devel@OpenLDAP.org
In-reply-to: <3D0D646B.9000906@shadlen.org>
References: <NMEFLNHODBAOPDKNNJALKEDHDBAA.hyc@highlandsun.com>

At 09:24 PM 2002-06-16, David Wright wrote:
>>Now that we have StartTLS, it's possible to implement the "Try"
>>and "Demand" levels using StartTLS. Is it worth doing?
>
>Isn't this what -Z and -ZZ do on the client-side already?
>
>What would really be useful (for me :-) anyway) is the ability to demand TLS on the server side. I'd like to allow connections to port 389, but demand that clients STARTTLS before any requests are processed.

See the security directive in slapd.conf(5).

>(Even better would be to allow anonymous requests without TLS, but require TLS for authentication!)

You can do this using ACLs to restrict access to userPassword
to sessions which have SSF > 1.  I posted a example of this
to the software list just last week... and updated the
admin guide.

One could add a "disallow bind_in_the_clear" option fairly
easy.  Feel free to code it up.

Kurt

References:
- ldap.conf TLS
  - From: "Howard Chu" <hyc@highlandsun.com>
- Re: ldap.conf TLS
  - From: David Wright <ichbin@shadlen.org>

Prev by Date: Re: ldap.conf TLS
Next by Date: RE: ldap.conf TLS
Index(es):
- Chronological
- Thread