[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: reject_external_nonTLS_binds

This would probably be frowned on since it uses non-standard mechanisms, but
I'd do something like this - First only enable cleartext connections on
localhost, and then only enable ldaps from anywhere else:  slapd -h
"ldap://localhost/ ldaps:///"  Note that using ldaps precludes the use of
StartTLS, so the "-Z" client options must be omitted.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of

Hi All,

I am taking my first steps with openLDAP. At the moment LDAP is running for
testing purposes only but productive use is already planed. The testing
environment consists of one ldapmaster with two slaveservers on SuSE SLES 8,
each on a separate box. Basic setup and replication is working fine so far.
TLS using server certification is also running great for slurpd and ldap
operations given the ?ZZ option (Server is configured to start with ldap:///
and ldaps:///). Now my problem is as follows. I try to prevent external
clients not using TLS (no -ZZ with operation) from binding to the
ldapservers. In other words ? only the local client of the machine running
the ldap server should be able to bind to slapd without TLS enabled (e.g.
without the ?ZZ option given to the ldap operation) .

BTW: Do I always have to give the ?Z or -ZZ option to an ldap operation to
have TLS enabled ? I think there is still a leak of understanding at my side.

Is there a way to configure the slapd to enable non TLS binds from localhost
only and denying/rejecting non TLS binds from external clients binding over a
network ?
Maybe there is a way to solve the problem by using ACL´s . I was thinking of
clientcertification too but the  perspective off creating over 1300
clientcerts made me looking for alternatives since this one isn´t suitable
for our purposes.

Does anyone have an idea to solve this problem without clientcertification.

Thanks in advance