[Date Prev][Date Next]
force use of start_tls: how?
I'm trying to avoid mistakes and configure a server and/or client to
force the use of start tls. So, if someone binds to the server and
accidentally forgets to configure start_tls on the client, the
connection is rejected.
The problem is that the rejection happens too late: the client password
was already sent to the server in clear test.
So far I have tested using acls (ssf=56) and the global "security"
setting with ssf, simple_bind and transport. In all cases, the
unencrypted access is rejected, but too late: the password was sent.
I guess what I need is a setting in /etc/openldap/ldap.conf similar to
the sasl minssf property, but for non-sasl binds. Is there such a thing?
Something that would behave as if -ZZ was always added to the openldap