[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Forcing use of TLS?
- To: openldap-software@OpenLDAP.org
- Subject: Re: Forcing use of TLS?
- From: Ken Kleiner <ken@cs.uml.edu>
- Date: Thu, 30 May 2002 14:19:22 -0400 (EDT)
- In-reply-to: <47CE319ED137D411BDCE00D0B774BF5503B8DB00@UNKNOWN.g1.com> from "Chapman, Kyle" at May 30, 2002 01:47:20 PM
Hello...
Answer to my query on how to start slapd with just tls support :
> start slapd with only ldaps:///, ie:
> slapd -h "ldaps:///"
Thanks to Kyle Chapman.
After that, I had to make sure my /etc/openldap/ldap.conf file had
URI ldaps://hostname
in it , or use -H ldaps://hostname switch with ldap tools
> ------_=_NextPart_001_01C20802.0C3B39C0
> Content-Type: text/plain;
> charset="ISO-8859-1"
>
>
> -----Original Message-----
> From: Ken Kleiner [mailto:ken@cs.uml.edu]
> Sent: Thursday, May 30, 2002 1:31 PM
> To: openldap-software@OpenLDAP.org
> Subject: Forcing use of TLS?
>
>
> Hello...
>
> I have TLS set up with slapd and slapd does not allow anonymous searches,
> and
> instead uses tcp wrappers.
>
> But - how can I stop somebody from using a ldap tool (like ldapsearch) on
> a trusted host and passing a clear text password when they use '-W' to
> authenticate with a BIND DN. Using the '-ZZ' option forces TLS, but
> is there a way to tell slapd to not allow ANYTHING unless it comes in with
> TLS?
>
> Thanks....
>
> --
> <>< ><> <>< ><> <>< ><> <>< ><> <>< ><> <><
>
> Ken Kleiner
> System Manager
> Computer Science Department
> Umass Lowell
>
> voice : 978 934 3645
> fax : 978 934 3551
>
> cell : 603 930 5582 (emergencies only, please)
>
> ken@cs.uml.edu
>
> ------_=_NextPart_001_01C20802.0C3B39C0
> Content-Type: text/html;
> charset="ISO-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3DISO-8859-1">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 5.5.2653.12">
> <TITLE>RE: Forcing use of TLS?</TITLE>
> </HEAD>
> <BODY>
>
> <P><FONT SIZE=3D2>start slapd with only ldaps:///, ie:</FONT>
> <BR><FONT SIZE=3D2>slapd -h "ldaps:///"</FONT>
> </P>
>
> <P><FONT SIZE=3D2>-----Original Message-----</FONT>
> <BR><FONT SIZE=3D2>From: Ken Kleiner [<A =
> HREF=3D"mailto:ken@cs.uml.edu">mailto:ken@cs.uml.edu</A>]</FONT>
> <BR><FONT SIZE=3D2>Sent: Thursday, May 30, 2002 1:31 PM</FONT>
> <BR><FONT SIZE=3D2>To: openldap-software@OpenLDAP.org</FONT>
> <BR><FONT SIZE=3D2>Subject: Forcing use of TLS?</FONT>
> </P>
> <BR>
>
> <P><FONT SIZE=3D2>Hello...</FONT>
> </P>
>
> <P><FONT SIZE=3D2> I have TLS set up with slapd and slapd does not =
> allow anonymous searches, and</FONT>
> <BR><FONT SIZE=3D2>instead uses tcp wrappers.</FONT>
> </P>
>
> <P><FONT SIZE=3D2> But - how can I stop somebody from using a ldap =
> tool (like ldapsearch) on</FONT>
> <BR><FONT SIZE=3D2>a trusted host and passing a clear text password =
> when they use '-W' to</FONT>
> <BR><FONT SIZE=3D2>authenticate with a BIND DN. Using the '-ZZ' =
> option forces TLS, but</FONT>
> <BR><FONT SIZE=3D2>is there a way to tell slapd to not allow ANYTHING =
> unless it comes in with</FONT>
> <BR><FONT SIZE=3D2>TLS?</FONT>
> </P>
>
> <P><FONT SIZE=3D2> Thanks....</FONT>
> </P>
>
> <P><FONT SIZE=3D2>-- </FONT>
> <BR><FONT SIZE=3D2><>< ><> <>< =
> ><> <>< ><> <>< =
> ><> <>< ><> <>< </FONT>
> </P>
>
> <P><FONT SIZE=3D2>Ken Kleiner</FONT>
> <BR><FONT SIZE=3D2>System Manager</FONT>
> <BR><FONT SIZE=3D2>Computer Science Department</FONT>
> <BR><FONT SIZE=3D2>Umass Lowell</FONT>
> </P>
>
> <P><FONT SIZE=3D2>voice : 978 934 3645</FONT>
> <BR><FONT SIZE=3D2>fax : 978 934 3551</FONT>
> </P>
>
> <P><FONT SIZE=3D2>cell : 603 930 5582 (emergencies only, please)</FONT>
> </P>
>
> <P><FONT SIZE=3D2>ken@cs.uml.edu</FONT>
> </P>
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C20802.0C3B39C0--
>
--
<>< ><> <>< ><> <>< ><> <>< ><> <>< ><> <><
Ken Kleiner
System Manager
Computer Science Department
Umass Lowell
voice : 978 934 3645
fax : 978 934 3551
cell : 603 930 5582 (emergencies only, please)
ken@cs.uml.edu