[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to confirm use of TLS...

To: Ken Kleiner <ken@cs.uml.edu>
Subject: Re: Trying to confirm use of TLS...
From: "Pierangelo Masarati" <masarati@aero.polimi.it>
Date: Mon, 26 Aug 2002 20:58:33 +0000
Cc: openldap-software@OpenLDAP.org
In-reply-to: <200208261838.g7QIceN300241@saturn.cs.uml.edu>
References: <200208261838.g7QIceN300241@saturn.cs.uml.edu>

Ken Kleiner writes:

Hello...

When running slapd with ldap:/// and ldaps:///, I understand that it is listening on port 389 and 636. If my clients have /etc/ldap.conf with an entry of 'ssl start_tls', I assume that means that my session is encrypted (i.e. all data passed back and forth from client -> server is munged).

This being the case, I'm sure it is extremely critical to only allow connections to slapd from trusted hosts, using tcp wrappers - correct? If not, anybody can talk to my 389 port and therefore sniff.
  I have tested with just ldaps:///, and it works, but I fear I can't
use slurpd/replication unless I use 389 - is that right?

You can inhibit unencrypted connections by requiring tls. Use "security" in conjunction with "require" directives to selectively disallow operations if no appropriate security is in place. You may also use security factors in ACLs to apply different security levels to different parts of the subtree or different attributes.

See slapd.conf(5) for details

Pierangelo.

Dr. Pierangelo Masarati | voice: +39 02 2399 8309 Dip. Ing. Aerospaziale | fax: +39 02 2399 8334 Politecnico di Milano | mailto:pierangelo.masarati@polimi.it via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati

References:
- Trying to confirm use of TLS...
  - From: Ken Kleiner <ken@cs.uml.edu>

Prev by Date: RE: LDAP/Kerberos user management
Next by Date: RE: SSL/TLS Ughh
Index(es):
- Chronological
- Thread