[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mixed ldap and ldaps?

To: "Jim Hud" <jdhz@btinternet.com>
Subject: Re: Mixed ldap and ldaps?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 12 Oct 2000 20:09:19 -0700
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <000901c0346a$1ce9dc80$4e42a8c0@dhntnbook>

At 04:32 PM 10/12/00 +0000, Jim Hud wrote:
>I know that slapd can listen for both lpad and lpads connections (on both
>ports 389 and 636), but is there a way to configure the server to insist
>that any non-anonymous connection is made over ldaps?

I suggest you use an SSF conditions to control access.
The SSF is the security layer strength factor. It's set by
TLS (StartTLS and ldaps://) and SASL and roughly correlates
to the effective key length of the encryption in use.

To disallow simple bind authentication excepting when
confidentiality protection is in place, do something
like:
  access to attr=userPassword
    by ssf=128 self write
    by ssf=112 users read
    by ssf=112 anonymous auth

  access to *
    by ssf=128 self write
    by ssf=112 users read

112 -> 3DES (or equiv)
128 -> RC4 (or equiv)

See archives for additional examples.

Kurt

References:
- Mixed ldap and ldaps?
  - From: "Jim Hud" <jdhz@btinternet.com>

Prev by Date: Re[2]: userpassword formats
Next by Date: Re[2]: userpassword formats
Index(es):
- Chronological
- Thread