[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forcing start_tls on client connections?

To: Gavin Henry <ghenry@suretecsystems.com>, OpenLDAP-software@OpenLDAP.org
Subject: Re: Forcing start_tls on client connections?
From: Bill Johnstone <beejstone3@yahoo.com>
Date: Tue, 26 Jul 2005 16:21:18 -0700 (PDT)
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=wIvimYWpVwz9wXia5+a9H4aqQ5RZly3Jeo7UQJgQBqsHKQ6Pq3LHYgPDcmHZ8uO00VcoVtAqTs6BHfuN0rDeQQLtYLeWEiOUqwPwp2fwkZXW8Lm8Sb/5Byhv41AIMs49GEVIYiQyD8pFTokLsjC+dsY45Cq9th214hCRBlWkKrE= ;
In-reply-to: <51552.193.195.148.66.1122389169.squirrel@webmail.suretecsystems.com>

Hello.

If you search the mailing list archives, you'll find I asked a similar
question earlier.

I believe the recommended solution to this is to use the directive:

security tls=<#>

in slapd.conf, where <#> should be replaced with the "strength" of the
cryptography being used, e.g. 128 .  This takes the same type of
argument as the security ssf directive.

According to the FAQ on openldap.org , ldaps:// is deprecated in favor
of TLS on the standard ldap port.

--- Gavin Henry <ghenry@suretecsystems.com> wrote:

> Dear List,
> 
> If running on the started 389 port, is it possible to only allow TLS
> connections?
> 
> Or is the better way to switch off port 389 and only listen on
> ldaps:///  ??

____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs

Follow-Ups:
- Re: Forcing start_tls on client connections?
  - From: "Gavin Henry" <ghenry@suretecsystems.com>

References:
- Forcing start_tls on client connections?
  - From: "Gavin Henry" <ghenry@suretecsystems.com>

Prev by Date: Re: Multiple Backends and SyncRepl
Next by Date: Re: entry modify failed while trying to change user password
Index(es):
- Chronological
- Thread