[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: reject_external_nonTLS_binds

To: openldap-software@OpenLDAP.org
Subject: Re: reject_external_nonTLS_binds
From: "dreamwvr@dreamwvr.com" <dreamwvr@dreamwvr.com>
Date: Fri, 6 Jun 2003 09:27:38 -0600
Content-disposition: inline
In-reply-to: <002a01c32c04$482261d0$9101a8c0@CELLO>
References: <OFB4DF2BAE.39DFF152-ONC1256D3D.0028366F@esag.net> <002a01c32c04$482261d0$9101a8c0@CELLO>
User-agent: Mutt/1.4i

On Fri, Jun 06, 2003 at 01:15:58AM -0700, Howard Chu wrote:
> This would probably be frowned on since it uses non-standard mechanisms, but
> I'd do something like this - First only enable cleartext connections on
> localhost, and then only enable ldaps from anywhere else:  slapd -h
> "ldap://localhost/ ldaps:///"  Note that using ldaps precludes the use of
> StartTLS, so the "-Z" client options must be omitted.
FWIW I second that. I like the idea of testing both in clear text
and encrypt externally. Mind you this is not my speciality. But,
it is a very_reasonable way of operating. (Even if not std compliant.)

Best Regards,
dreamwvr@dreamwvr.com

-- 
/*  Security is a work in progress - dreamwvr                 */
#                               48 69 65 72 6F 70 68 61 6E 74 32
# Note: To begin Journey type man afterboot,man help,man hier[.]      
# 66 6F 72 20 48 69 72 65                              0000 0001
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]

Follow-Ups:
- Help! success stories with Eudora and openLDAP ?
  - From: Alex Zheng <azheng@monterey.k12.ca.us>

References:
- reject_external_nonTLS_binds
  - From: Rico_Stefaniak@esag.de
- RE: reject_external_nonTLS_binds
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: Deployment testimonials?
Next by Date: daemon: select timeout - yielding
Index(es):
- Chronological
- Thread