[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mixed ldap and ldaps?



At 04:32 PM 10/12/00 +0000, Jim Hud wrote:
>I know that slapd can listen for both lpad and lpads connections (on both
>ports 389 and 636), but is there a way to configure the server to insist
>that any non-anonymous connection is made over ldaps?

I suggest you use an SSF conditions to control access.
The SSF is the security layer strength factor. It's set by
TLS (StartTLS and ldaps://) and SASL and roughly correlates
to the effective key length of the encryption in use.

To disallow simple bind authentication excepting when
confidentiality protection is in place, do something
like:
  access to attr=userPassword
    by ssf=128 self write
    by ssf=112 users read
    by ssf=112 anonymous auth

  access to *
    by ssf=128 self write
    by ssf=112 users read

112 -> 3DES (or equiv)
128 -> RC4 (or equiv)

See archives for additional examples.

Kurt