[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: require StartTLS

Dieter KlÃnter wrote:
Am Sun, 26 Feb 2012 12:39:26 +0100
schrieb Daniel Pocock<daniel@pocock.com.au>:

On 26/02/12 12:15, Dieter KlÃnter wrote:
Am Sun, 26 Feb 2012 11:49:14 +0100
schrieb Daniel Pocock<daniel@pocock.com.au>:

Is there some way to ensure that a client who connects on port 389
can do nothing without StartTLS?

Or is it necessary to just disable port 389 and only listen for
ldaps:/// ?

read on TLS OPTIONS in
man ldap.conf(5) and man slapd.conf(5)

Thanks for the fast reply

I'm not keen to rely on ldap.conf (client side config) - I want to
enforce a preference for TLS from the server side, to avoid a
situation where some application might be configured non-TLS by

I've looked at the TLS options and I have TLS running fine already.  I
notice the TLSCipherSuite option sets the cipher level within TLS, but
it doesn't appear to guarantee that TLS is used.

From man slapd.conf
  demand | hard | true
   These  keywords  are  all  equivalent,  for
	compatibility reasons.  The client certificate  is
	requested.   If  no certificate   is   provided,  or  a  bad
	certificate  is provided, the session is immediately terminated.

To make an analogy, in postfix, I require `plain' authentication: but
the client is not allowed to try to authenticate until it has done
StartTLS, because I never want a client to try sending a password
over a channel that is not encrypted.

Postfix is a LDAP client, thus all client configurations apply
according to man ldap.conf(5).

Dieter, no.

Josh Miller's post was correct.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/