[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Force client to use TLS

To: aubert@iut-bm.univ-fcomte.fr
Subject: Re: Force client to use TLS
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Thu, 29 Jun 2006 09:15:23 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20060628220800.nbkvgnvpvipcs0w4@webmail2.iut-bm.univ-fcomte.fr>
References: <20060628220800.nbkvgnvpvipcs0w4@webmail2.iut-bm.univ-fcomte.fr>

Requiring certificates, or not, is configured with TLSVerifyClient. If you
don't want to require certificates, TLSVerifyClient at any setting other
than "demand" should work, depending on your local preferences.

At a server-wide level, you can set "security <factor>" in slapd.conf. For
instance, "security tls=1" will force TLS (of any flavor) to be utilized.
When slapd is set to deny the non-TLS operation, neglecting to use SSL on
ldaps port will result in SSL handshake failure, while failure to issue a
StartTLS on the ldap port will return "Confidentiality Required" error.
Should you desire more fine-grained control, "tls_ssf" is a valid "<who>"
in an ACL clause. I've never used these, but I'm guessing they will return
"insufficient access" since they're ACLs.

See slapd.conf(5) and slapd.access(5) man pages and the Admin Guide for
more details on these directives.

References:
- Force client to use TLS
  - From: aubert@iut-bm.univ-fcomte.fr

Prev by Date: Re: Missing something with filters and/or attributes
Next by Date: Re: Force client to use TLS
Index(es):
- Chronological
- Thread