[Date Prev][Date Next] [Chronological] [Thread] [Top]

reject_external_nonTLS_binds

To: openldap-software@OpenLDAP.org
Subject: reject_external_nonTLS_binds
From: Rico_Stefaniak@esag.de
Date: Fri, 6 Jun 2003 09:25:44 +0200

Hi All,

I am taking my first steps with openLDAP. At the moment LDAP is running for testing purposes only but productive use is already planed. The testing environment consists of one ldapmaster with two slaveservers on SuSE SLES 8, each on a separate box. Basic setup and replication is working fine so far. TLS using server certification is also running great for slurpd and ldap operations given the –ZZ option (Server is configured to start with ldap:/// and ldaps:///). Now my problem is as follows. I try to prevent external clients not using TLS (no -ZZ with operation) from binding to the ldapservers. In other words – only the local client of the machine running the ldap server should be able to bind to slapd without TLS enabled (e.g. without the –ZZ option given to the ldap operation) .

BTW: Do I always have to give the –Z or -ZZ option to an ldap operation to have TLS enabled ? I think there is still a leak of understanding at my side.

Is there a way to configure the slapd to enable non TLS binds from localhost only and denying/rejecting non TLS binds from external clients binding over a network ?
Maybe there is a way to solve the problem by using ACL´s . I was thinking of clientcertification too but the perspective off creating over 1300 clientcerts made me looking for alternatives since this one isn´t suitable for our purposes.

Does anyone have an idea to solve this problem without clientcertification.

Thanks in advance

Rico

Follow-Ups:
- RE: reject_external_nonTLS_binds
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: make test error
Next by Date: RE: reject_external_nonTLS_binds
Index(es):
- Chronological
- Thread