[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Require SSL transport?



At 11:33 AM 2/2/01 -0500, Jens Vagelpohl wrote:
>starting your server with "slapd -h ldaps:///" should prevent it from
>listening on anything other than port 636.

But this disallows use of LDAP Start TLS (-Z), the standard track
mechanism of initiating TLS (SSL) services.

There are numerous ways to restrict access in OpenLDAP.
ACLs support ssf and tls_ssf factors where you can
restrict access based upon the strength of the security
actually provided by the layer.

There are also various "allows", "disallows", "requires",
and "security" slapd.conf(5) statements which can be used
to control the behavior of the server.


>jens
>
>
>
>On 2/2/01 10:56, "Justin Hahn" <jhahn@profitlogic.com> wrote:
>
>> Over the past couple days I've beens setting up OpenLDAP as a substitute for
>> NIS. To do
>> this I want all communications done with the LDAP server to be over SSL
>> exclusively. But
>> I can't seem to figure out how to get openldap to ignore requests that
>> aren't over SSL.
>> (i.e. ldapsearch -ZZ -x '(objectclass=*)' gives me exactly what I expect,
>> but take away -ZZ and I get the same results back. Which isn't what I want.)
>> 
>> Is there any ACL I can use to grant no access if SSL isn't being used? A
>> config
>> option? A commandline option to slapd?
>> 
>> Thanks!