[Date Prev][Date Next]
Re: require StartTLS
On 26/02/12 12:15, Dieter KlÃnter wrote:
> Am Sun, 26 Feb 2012 11:49:14 +0100
> schrieb Daniel Pocock <firstname.lastname@example.org>:
>> Is there some way to ensure that a client who connects on port 389 can
>> do nothing without StartTLS?
>> Or is it necessary to just disable port 389 and only listen for
>> ldaps:/// ?
> read on TLS OPTIONS in
> man ldap.conf(5) and man slapd.conf(5)
Thanks for the fast reply
I'm not keen to rely on ldap.conf (client side config) - I want to
enforce a preference for TLS from the server side, to avoid a situation
where some application might be configured non-TLS by mistake.
I've looked at the TLS options and I have TLS running fine already. I
notice the TLSCipherSuite option sets the cipher level within TLS, but
it doesn't appear to guarantee that TLS is used.
To make an analogy, in postfix, I require `plain' authentication: but
the client is not allowed to try to authenticate until it has done
StartTLS, because I never want a client to try sending a password over a
channel that is not encrypted.
For the moment, I have just disabled port 389