Re: How to only accept TLS connection on port 389

["Jean-Yves Avenard" <jyavenard@gmail.com>]

Hi

On 1/22/07, S Kalyanasundaram <skalyanasundaram@novell.com> wrote:
> So the port is independent of the connection type?

The only reason I asked this question was because I haven't found a
way to force a TLS connection over 389, without also allowing
non-encrypted connection

I found here:
http://www.openldap.org/doc/admin23/security.html

That I could use the option :
disallow bind_simple_unprotected

However, this option seem to be invalid and give me the error:
/usr/local/etc/openldap/slapd.conf: line 31: <disallow> unknown
feature bind_simple_unprotected

so either I'm not typing it correctly, or the documentation is incorrect.

in the mean time, security ssf=56 and update_ssf=56 seem to do the
trick. I can only authenticate with the ldap server if encryption is
used...
Finding the right documentation is rather a challenge :(

> The clear text authentication and as well as secured connection can be made on both the ports (389,636) ?
> Then what for the port is being used?
That would be 636. Which would then only allow SSL connection or Start
TLS one, never a clear text one

> I assumed 389 is clear text and 636 is encrypted(ssl/tls) one.
> Can you please make sure this..
yes I'm sure :)

Thank you all for your help
Regards
Jean-Yves