[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Refusing connections when START_TLS is not sent

To: Pierre Moermans <pmoermans@linuxmail.org>
Subject: Re: Refusing connections when START_TLS is not sent
From: Andreas <andreas@conectiva.com.br>
Date: Wed, 10 Dec 2003 13:45:28 -0200
Cc: openldap-software <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <1071073601.3196.17.camel@bunting.pm-soft.be>
References: <1071073601.3196.17.camel@bunting.pm-soft.be>
User-agent: Mutt/1.5.5.1i

On Wed, Dec 10, 2003 at 05:26:34PM +0100, Pierre Moermans wrote:
> Now, I would like to refuse PLAIN text communication when the START_TLS
> command is not sent by the client. I've been googling for a while with
> no success.
> Does anybody know how to do that ?

I think a way to do that would be to restrict access to the userPassword
attribute if the ssf is zero (I assume you are using simple bind, and not sasl plain text
mechanisms).

Something like: (untested)
access to attr=userPassword
	by ssf=128 self write
	by ssf=128 anonymous auth
	by * none

If using sasl plaintext mechanisms, take a look at the sasl-secprops slapd.conf(5)
directive, there you can play with ssf too.

References:
- Refusing connections when START_TLS is not sent
  - From: Pierre Moermans <pmoermans@linuxmail.org>

Prev by Date: Refusing connections when START_TLS is not sent
Next by Date: Re: no structuralObject in entry?
Index(es):
- Chronological
- Thread