[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Force client to use TLS

Requiring certificates, or not, is configured with TLSVerifyClient. If you
don't want to require certificates, TLSVerifyClient at any setting other
than "demand" should work, depending on your local preferences.

At a server-wide level, you can set "security <factor>" in slapd.conf. For
instance, "security tls=1" will force TLS (of any flavor) to be utilized.
When slapd is set to deny the non-TLS operation, neglecting to use SSL on
ldaps port will result in SSL handshake failure, while failure to issue a
StartTLS on the ldap port will return "Confidentiality Required" error.
Should you desire more fine-grained control, "tls_ssf" is a valid "<who>"
in an ACL clause. I've never used these, but I'm guessing they will return
"insufficient access" since they're ACLs.

See slapd.conf(5) and slapd.access(5) man pages and the Admin Guide for
more details on these directives.