[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: require StartTLS

To: openldap-technical@openldap.org
Subject: Re: require StartTLS
From: Daniel Pocock <daniel@pocock.com.au>
Date: Sun, 26 Feb 2012 12:39:26 +0100
In-reply-to: <20120226121513.133ca18d@violet.avci.de>
References: <4F4A0E2A.6090201@pocock.com.au> <20120226121513.133ca18d@violet.avci.de>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110702 Iceowl/1.0b1 Icedove/3.0.11

On 26/02/12 12:15, Dieter KlÃnter wrote:
> Am Sun, 26 Feb 2012 11:49:14 +0100
> schrieb Daniel Pocock <daniel@pocock.com.au>:
> 
>>
>>
>>
>> Is there some way to ensure that a client who connects on port 389 can
>> do nothing without StartTLS?
>>
>> Or is it necessary to just disable port 389 and only listen for
>> ldaps:/// ?
> 
> read on TLS OPTIONS in
> man ldap.conf(5) and man slapd.conf(5)
> 

Thanks for the fast reply

I'm not keen to rely on ldap.conf (client side config) - I want to
enforce a preference for TLS from the server side, to avoid a situation
where some application might be configured non-TLS by mistake.

I've looked at the TLS options and I have TLS running fine already.  I
notice the TLSCipherSuite option sets the cipher level within TLS, but
it doesn't appear to guarantee that TLS is used.

To make an analogy, in postfix, I require `plain' authentication: but
the client is not allowed to try to authenticate until it has done
StartTLS, because I never want a client to try sending a password over a
channel that is not encrypted.

For the moment, I have just disabled port 389

Follow-Ups:
- Re: require StartTLS
  - From: Nick Milas <nick@eurobjects.com>
- Re: require StartTLS
  - From: Dieter KlÃnter <dieter@dkluenter.de>

References:
- require StartTLS
  - From: Daniel Pocock <daniel@pocock.com.au>
- Re: require StartTLS
  - From: Dieter KlÃnter <dieter@dkluenter.de>

Prev by Date: Re: RE24 testing call#1 (2.4.30)
Next by Date: Re: Private OID range(s) ?
Index(es):
- Chronological
- Thread