[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap.conf TLS

At 09:24 PM 2002-06-16, David Wright wrote:
>>Now that we have StartTLS, it's possible to implement the "Try"
>>and "Demand" levels using StartTLS. Is it worth doing?
>Isn't this what -Z and -ZZ do on the client-side already?
>What would really be useful (for me :-) anyway) is the ability to demand TLS on the server side. I'd like to allow connections to port 389, but demand that clients STARTTLS before any requests are processed.

See the security directive in slapd.conf(5).

>(Even better would be to allow anonymous requests without TLS, but require TLS for authentication!)

You can do this using ACLs to restrict access to userPassword
to sessions which have SSF > 1.  I posted a example of this
to the software list just last week... and updated the
admin guide.

One could add a "disallow bind_in_the_clear" option fairly
easy.  Feel free to code it up.