[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS=yes (ITS#1739)

That is what "TLS=critical" is for. If the StartTLS fails, the connection is

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> mcantwell@paradigmone.com.au
> Sent: Wednesday, April 10, 2002 4:29 PM
> To: openldap-its@OpenLDAP.org
> Subject: TLS=yes (ITS#1739)
> Full_Name: Martin Cantwell
> Version: openldap-2.0.23
> OS: Linux Turbo
> URL:
> Submission from: (NULL) (
> I have a master LDAP server a number of slaves, and replication
> using slurpd
> over TLS. - It all works OK.
> My understanding is that LDAP clients can establish connection
> via SSL on port
> 636, or use startTLS on port 389. - Fine.
> >From slurpd replication you specify TLS=yes, and as long as the server
> certificate CN matches, then it will startTLS on port 389 and
> work correctly,
> otherwise it drops down to just LDAP v3 communication, i.e. not
> secure. I have
> checked this using -d-1 on the slurpd process, i.e. fact not heresay.
> However I would like to INSIST that replication uses TLS, and if the slave
> cannot perform TLS then it fails, a sort of tls=insist option.
> Comments?