[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap.conf TLS

Now that we have StartTLS, it's possible to implement the "Try"
and "Demand" levels using StartTLS. Is it worth doing?

Isn't this what -Z and -ZZ do on the client-side already?

What would really be useful (for me :-) anyway) is the ability to demand TLS on the server side. I'd like to allow connections to port 389, but demand that clients STARTTLS before any requests are processed. (Even better would be to allow anonymous requests without TLS, but require TLS for authentication!) (I think a basic TLS requirement is already possible with SASL auth using sasl_minimum_layer, but not outside of SASL auth.)