Re: How to Force TLS/SSL connection Only ?

[Peter Marschall <peter.marschall@mayn.de>]

Hi,

On Sunday 24 November 2002 13:43, Zhang Fei wrote:
> ################ Begin ###################################
> TLSCertificateFile    /usr/local/etc/openldap/server.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/server.key
> TLSCACertificateFile  /usr/share/ssl/misc/demoCA/cacert.pem
> TLSVerifyClient       demand
> ################ End  ####################################
>
> And in ldap.conf ，add：
> ################# Begin ###############################
> TLS_CACERT      /usr/share/ssl/misc/demoCA/cacert.pem
> TLS             hard
> ################## end ################################
>
> In valid client's ".ldaprc" file :
> ################### Begin ##############################
> TLS_CERT        /home/globus/ldapcert/user.crt
> TLS_KEY         /home/globus/ldapcert/user.key
> #################### End ###############################
With all those TLS lines above you told the server (and the clients) 
how to behave in case of a LDAPS connection and a LDAP connection with 
start_tls, but you did not forbid the server to use unencrypted, anonymous 
connections.
This is usually done using ACLS in the slapd.conf file.
(the lines above are no ACLs but SSL configuration options)

> BTW: What's meaning of the option "-x" in command "ldapsearch" ? "Simple
> Authentication"? It's different from "Anonymous",but why it need not
> userid&password ?
It is "simple authentication" opposed to "SASL authentication".
Simple authentication needs bindDN (= user) & password.
Anonymous is "no authentication".

Yours
PEter
-- 
Peter Marschall     |   eMail: peter.marschall@mayn.de
Scheffelstraße 15   |          peter.marschall@is-energy.de
97072 Würzburg      |   Tel:   0931/14721
PGP:  D7 FF 20 FE E6 6B 31 74  D1 10 88 E0 3C FE 28 35