On Wednesday, 4 July 2007, Andreas Hasenack wrote: > On Wed, Jul 04, 2007 at 05:53:24PM +0200, Hallvard B Furuseth wrote: > > > The problem is that the rejection happens too late: the client > > > password was already sent to the server in clear test. > > > > If you want to ensure it on the server side, all you can do is not > > listen for ldap:// connections since they start out unencrypted. > > ldap:// connections have no initial protocol exchange which the server > > can reject. Instead listen to ldaps://, "LDAP over SSL (aka TLS)". > > > > > I guess what I need is a setting in /etc/openldap/ldap.conf similar to > > > the sasl minssf property, but for non-sasl binds. Is there such a > > > thing? Something that would behave as if -ZZ was always added to the > > > openldap command-line tools. > > > > Yes. > > > > URI ldaps://fully.qualified.server-hostname/ > > TLS_CACERT <file with the CA-certificate which signed the server cert> > > TLS_REQCERT demand > > The only problem is that I really want start_tls, and not ldaps (which > is deprecated, right?). IMHO, a non-working solution (e.g. where encryption can't be forced from the client side) cannot be the only alternative for a feature supposedly deprecated (ldaps, where it is possible). At a minimum, there should be some way to force start_tls for OpenLDAP client utilities before claiming a feature is deprecated. (Yes, this has been irritating me for a long time too ...). Regards, Buchan -- Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592) http://en.wikipedia.org/wiki/List_of_Internet_slang_phrases
Attachment:
pgprnOX2fRcqw.pgp
Description: PGP signature