[Date Prev][Date Next]
RE: TLS=yes (ITS#1739)
That is what "TLS=critical" is for. If the StartTLS fails, the connection is
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> Sent: Wednesday, April 10, 2002 4:29 PM
> To: openldap-its@OpenLDAP.org
> Subject: TLS=yes (ITS#1739)
> Full_Name: Martin Cantwell
> Version: openldap-2.0.23
> OS: Linux Turbo
> Submission from: (NULL) (18.104.22.168)
> I have a master LDAP server a number of slaves, and replication
> using slurpd
> over TLS. - It all works OK.
> My understanding is that LDAP clients can establish connection
> via SSL on port
> 636, or use startTLS on port 389. - Fine.
> >From slurpd replication you specify TLS=yes, and as long as the server
> certificate CN matches, then it will startTLS on port 389 and
> work correctly,
> otherwise it drops down to just LDAP v3 communication, i.e. not
> secure. I have
> checked this using -d-1 on the slurpd process, i.e. fact not heresay.
> However I would like to INSIST that replication uses TLS, and if the slave
> cannot perform TLS then it fails, a sort of tls=insist option.