[Date Prev][Date Next] [Chronological] [Thread] [Top]

force use of start_tls: how?

I'm trying to avoid mistakes and configure a server and/or client to
force the use of start tls. So, if someone binds to the server and
accidentally forgets to configure start_tls on the client, the
connection is rejected.

The problem is that the rejection happens too late: the client password
was already sent to the server in clear test.

So far I have tested using acls (ssf=56) and the global "security"
setting with ssf, simple_bind and transport. In all cases, the
unencrypted access is rejected, but too late: the password was sent.

I guess what I need is a setting in /etc/openldap/ldap.conf similar to
the sasl minssf property, but for non-sasl binds. Is there such a thing?
Something that would behave as if -ZZ was always added to the openldap
command-line tools.