[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: force use of start_tls: how?

On Wednesday, 4 July 2007, Andreas Hasenack wrote:
> On Wed, Jul 04, 2007 at 05:53:24PM +0200, Hallvard B Furuseth wrote:
> > > The problem is that the rejection happens too late: the client
> > > password was already sent to the server in clear test.
> >
> > If you want to ensure it on the server side, all you can do is not
> > listen for ldap:// connections since they start out unencrypted.
> > ldap:// connections have no initial protocol exchange which the server
> > can reject.  Instead listen to ldaps://, "LDAP over SSL (aka TLS)".
> >
> > > I guess what I need is a setting in /etc/openldap/ldap.conf similar to
> > > the sasl minssf property, but for non-sasl binds. Is there such a
> > > thing? Something that would behave as if -ZZ was always added to the
> > > openldap command-line tools.
> >
> > Yes.
> >
> > URI		ldaps://fully.qualified.server-hostname/
> > TLS_CACERT	<file with the CA-certificate which signed the server cert>
> > TLS_REQCERT	demand
> The only problem is that I really want start_tls, and not ldaps (which
> is deprecated, right?).

IMHO, a non-working solution (e.g. where encryption can't be forced from the 
client side) cannot be the only alternative for a feature supposedly 
deprecated (ldaps, where it is possible).

At a minimum, there should be some way to force start_tls for OpenLDAP client 
utilities before claiming a feature is deprecated.

(Yes, this has been irritating me for a long time too ...).


Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader

Attachment: pgprnOX2fRcqw.pgp
Description: PGP signature