[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to confirm use of TLS...

Ken Kleiner writes:


When running slapd with ldap:/// and ldaps:///, I understand that it
is listening on port 389 and 636. If my clients have /etc/ldap.conf
with an entry of 'ssl start_tls', I assume that means that my session
is encrypted (i.e. all data passed back and forth from client -> server
is munged).

This being the case, I'm sure it is extremely critical to only allow
connections to slapd from trusted hosts, using tcp wrappers - correct?
If not, anybody can talk to my 389 port and therefore sniff.

  I have tested with just ldaps:///, and it works, but I fear I can't
use slurpd/replication unless I use 389 - is that right?

You can inhibit unencrypted connections by requiring tls.
Use "security" in conjunction with "require" directives
to selectively disallow operations if no appropriate security
is in place. You may also use security factors in ACLs
to apply different security levels to different parts of the
subtree or different attributes.

See slapd.conf(5) for details


Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati