Re: Re: How to Force TLS/SSL connection Only ?

["Zhang Fei" <zhfei@sdb.ac.cn>]

Hi,Peter and all  :-)
>> ################ Begin ###################################
>> TLSCertificateFile    /usr/local/etc/openldap/server.crt
>> TLSCertificateKeyFile /usr/local/etc/openldap/server.key
>> TLSCACertificateFile  /usr/share/ssl/misc/demoCA/cacert.pem
>> TLSVerifyClient       demand
>> ################ End  ####################################
>>
>> And in ldap.conf ，add：
>> ################# Begin ###############################
>> TLS_CACERT      /usr/share/ssl/misc/demoCA/cacert.pem
>> TLS             hard
Now,I marked off the line with "#" to test anonymous' and users' access.
#TLS			hard

>With all those TLS lines above you told the server (and the clients) 
>how to behave in case of a LDAPS connection and a LDAP connection with 
>start_tls, but you did not forbid the server to use unencrypted, anonymous 
>connections.
>This is usually done using ACLS in the slapd.conf file.
>(the lines above are no ACLs but SSL configuration options)
  Now I don't allow  anonymous users to access the server and allow ONLY users with valid certificates to read. 
  I add a few lines in slapd.conf :

access to * by * none
access to *
        by self  write
        by users read

Is it right or enough?
I still can not reach my goal! :(
It doesn't return any results whatever I search in port 389 or 636 and no error messages return.

>> BTW: What's meaning of the option "-x" in command "ldapsearch" ? "Simple
>> Authentication"? It's different from "Anonymous",but why it need not
>> userid&password ?
>It is "simple authentication" opposed to "SASL authentication".
>Simple authentication needs bindDN (= user) & password.
>Anonymous is "no authentication".
I mean, with the "-x" option,it should be "SimpleAuthentication" access,
but it returns the right results without my inputing any "user&pwd" ,
and just like anonymous style. 
Why?


Thanks again.

Zhangfei