Re: require StartTLS

[Dieter KlÃnter <dieter@dkluenter.de>]

Am Sun, 26 Feb 2012 12:39:26 +0100
schrieb Daniel Pocock <daniel@pocock.com.au>:

> 
> 
> On 26/02/12 12:15, Dieter KlÃnter wrote:
> > Am Sun, 26 Feb 2012 11:49:14 +0100
> > schrieb Daniel Pocock <daniel@pocock.com.au>:
> > 
> >>
> >>
> >>
> >> Is there some way to ensure that a client who connects on port 389
> >> can do nothing without StartTLS?
> >>
> >> Or is it necessary to just disable port 389 and only listen for
> >> ldaps:/// ?
> > 
> > read on TLS OPTIONS in
> > man ldap.conf(5) and man slapd.conf(5)
> > 
> 
> Thanks for the fast reply
> 
> I'm not keen to rely on ldap.conf (client side config) - I want to
> enforce a preference for TLS from the server side, to avoid a
> situation where some application might be configured non-TLS by
> mistake.
> 
> I've looked at the TLS options and I have TLS running fine already.  I
> notice the TLSCipherSuite option sets the cipher level within TLS, but
> it doesn't appear to guarantee that TLS is used.

>From man slapd.conf
TLSVerifyClient <level>
 demand | hard | true
  These  keywords  are  all  equivalent,  for
	compatibility reasons.  The client certificate  is
	requested.   If  no certificate   is   provided,  or  a  bad
	certificate  is provided, the session is immediately terminated.


> 
> To make an analogy, in postfix, I require `plain' authentication: but
> the client is not allowed to try to authenticate until it has done
> StartTLS, because I never want a client to try sending a password
> over a channel that is not encrypted.

Postfix is a LDAP client, thus all client configurations apply
according to man ldap.conf(5).

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E