[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: turning off clear text communications
- To: openldap-software@OpenLDAP.org
- Subject: Re: turning off clear text communications
- From: "Jim C." <jcllings@javahop.com>
- Date: Fri, 23 Jan 2004 12:38:39 -0800
- In-reply-to: <6C6B73040F8CD411AA5600508B6D5F120AF63454@strnynt2.strny.starwoodhotels.com>
- References: <6C6B73040F8CD411AA5600508B6D5F120AF63454@strnynt2.strny.starwoodhotels.com>
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lawrence, Mike (White Plains) wrote:
| It sounds like it's not doing ldaps then, it's doing ldap and tls
| over port 389. TLS is just a newer version of ssl that can run on
| the same port unencrypted ldap traffic does. If you want to be 100%
| sure all you have is encrypted traffic, then only run ldaps (when
| you start slapd, do it as "/usr/local/libexec/slapd -h "ldaps:///").
| ldaps runs on port 636 and is always encrypted.
Right, but the question is how to do this and then the next question
after that is how to test it. Note that we find this in:
[root@enigma root]# cat /etc/sysconfig/ldap
# nice level for slapd
SLAPDNICE="+2"
# debug level for slapd
SLAPDSYSLOGLEVEL="0"
SLAPDSYSLOGLOCALUSER="LOCAL0"
# SLAPD URL list
SLAPDURLLIST="ldap:/// ldaps:///"
# nice level for slurp
SLURPNICE="+2"
[root@enigma root]#
OK, fine and dandy. Then there is this excerpt from /etc/init.d/ldap
found in the "start" section
~ if [ -n "$SLAPDURLLIST" ] ; then
~ if gprintf "ldaps\n" && grep -q "^TLS"
/etc/openldap/slapd.conf ; then
~ ARGS="$ARGS -h \"$SLAPDURLLIST\""
~ OUT="ldap + ldaps"
~ else
~ ARGS="$ARGS -h \"ldap:/// \""
~ fi
~ else
~ ARGS="$ARGS -h \"ldap:/// \""
~ fi
Now I haven't traced this but at a glance it seems to me that
$SLAPDURLLIST is set in /etc/sysconfig/ldap and used in the init script
/etc/init.d/ldap
*If* this is the case then I **should** be able to simply delete
"ldap:///"; from the $SLAPDURLLIST in /etc/sysconfig/ldap.
I tried this and then had no way to verify that clear test
communications were discombooberated. The script reported no difference
on startup.
[root@enigma init.d]# service ldap restart
Stopping slapd: [ OK ]
ldaps
Starting slapd (ldap + ldaps): [ OK ]
[root@enigma init.d]#
Gotcha any ideaers? What about the slapd.conf file? Ideally I could
use it for this purpose rather than pour over scripts designed for a
specific distro.
- --
- -----------------------------------------------------------------
| I can be reached on the following messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com AIM: WyteLi0n ICQ: 123291844 |
|---------------------------------------------------------------|
| Y!: j_c_llings Jabber: jcllings@nureality.com |
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAEYZO57L0B7uXm9oRAi1XAJ4oRIX+Ol4gLQ7FtYj8g7h1ds250QCeIa2f
Zm0xpEXeAa0EWdeE8sGW5vM=
=NoNn
-----END PGP SIGNATURE-----