[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: force use of start_tls: how?

To: openldap-software@openldap.org
Subject: Re: force use of start_tls: how?
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Wed, 4 Jul 2007 13:30:13 -0300
Content-disposition: inline
In-reply-to: <hbf.20070704tva0@bombur.uio.no>
References: <20070704144022.GH4688@mandriva.com.br> <hbf.20070704tva0@bombur.uio.no>
User-agent: Mutt/1.5.16 (2007-06-09)

On Wed, Jul 04, 2007 at 05:53:24PM +0200, Hallvard B Furuseth wrote:
> > The problem is that the rejection happens too late: the client
> > password was already sent to the server in clear test.
> 
> If you want to ensure it on the server side, all you can do is not
> listen for ldap:// connections since they start out unencrypted.
> ldap:// connections have no initial protocol exchange which the server
> can reject.  Instead listen to ldaps://, "LDAP over SSL (aka TLS)".
> 
> > I guess what I need is a setting in /etc/openldap/ldap.conf similar to
> > the sasl minssf property, but for non-sasl binds. Is there such a thing?
> > Something that would behave as if -ZZ was always added to the openldap
> > command-line tools.
> 
> Yes.
> 
> URI		ldaps://fully.qualified.server-hostname/
> TLS_CACERT	<file with the CA-certificate which signed the server cert>
> TLS_REQCERT	demand

The only problem is that I really want start_tls, and not ldaps (which
is deprecated, right?).

Follow-Ups:
- Re: force use of start_tls: how?
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: force use of start_tls: how?
  - From: Philip Guenther <guenther+ldapsoft@sendmail.com>
- Re: force use of start_tls: how?
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- force use of start_tls: how?
  - From: Andreas Hasenack <ahasenack@terra.com.br>
- Re: force use of start_tls: how?
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: force use of start_tls: how?
Next by Date: Re: cmusaslsecretPLAIN attribute
Index(es):
- Chronological
- Thread