[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mixed ldap and ldaps?

At 04:32 PM 10/12/00 +0000, Jim Hud wrote:
>I know that slapd can listen for both lpad and lpads connections (on both
>ports 389 and 636), but is there a way to configure the server to insist
>that any non-anonymous connection is made over ldaps?

I suggest you use an SSF conditions to control access.
The SSF is the security layer strength factor. It's set by
TLS (StartTLS and ldaps://) and SASL and roughly correlates
to the effective key length of the encryption in use.

To disallow simple bind authentication excepting when
confidentiality protection is in place, do something
  access to attr=userPassword
    by ssf=128 self write
    by ssf=112 users read
    by ssf=112 anonymous auth

  access to *
    by ssf=128 self write
    by ssf=112 users read

112 -> 3DES (or equiv)
128 -> RC4 (or equiv)

See archives for additional examples.