Re: Forcing use of TLS?

[Ken Kleiner <ken@cs.uml.edu>]

Hello...

  Answer to my query on how to start slapd with just tls support :

> start slapd with only ldaps:///, ie:
> slapd -h "ldaps:///"

  Thanks to Kyle Chapman.

  After that, I had to make sure my /etc/openldap/ldap.conf file had

URI     ldaps://hostname

  in it , or use -H ldaps://hostname switch with ldap tools


> ------_=_NextPart_001_01C20802.0C3B39C0
> Content-Type: text/plain;
> 	charset="ISO-8859-1"
> 
> 
> -----Original Message-----
> From: Ken Kleiner [mailto:ken@cs.uml.edu]
> Sent: Thursday, May 30, 2002 1:31 PM
> To: openldap-software@OpenLDAP.org
> Subject: Forcing use of TLS?
> 
> 
> Hello...
> 
>  I have TLS set up with slapd and slapd does not allow anonymous searches,
> and
> instead uses tcp wrappers.
> 
>  But - how can I stop somebody from using a ldap tool (like ldapsearch) on
> a trusted host and passing a clear text password when they use '-W' to
> authenticate with a BIND DN.  Using the '-ZZ' option forces TLS, but
> is there a way to tell slapd to not allow ANYTHING unless it comes in with
> TLS?
> 
>  Thanks....
> 
> -- 
> <><  ><> <><  ><> <><  ><> <><  ><> <><  ><> <><  
> 
> Ken Kleiner
> System Manager
> Computer Science Department
> Umass Lowell
> 
> voice : 978 934 3645
> fax : 978 934 3551
> 
> cell : 603 930 5582 (emergencies only, please)
> 
> ken@cs.uml.edu
> 
> ------_=_NextPart_001_01C20802.0C3B39C0
> Content-Type: text/html;
> 	charset="ISO-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3DISO-8859-1">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 5.5.2653.12">
> <TITLE>RE: Forcing use of TLS?</TITLE>
> </HEAD>
> <BODY>
> 
> <P><FONT SIZE=3D2>start slapd with only ldaps:///, ie:</FONT>
> <BR><FONT SIZE=3D2>slapd -h &quot;ldaps:///&quot;</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>-----Original Message-----</FONT>
> <BR><FONT SIZE=3D2>From: Ken Kleiner [<A =
> HREF=3D"mailto:ken@cs.uml.edu";>mailto:ken@cs.uml.edu</A>]</FONT>
> <BR><FONT SIZE=3D2>Sent: Thursday, May 30, 2002 1:31 PM</FONT>
> <BR><FONT SIZE=3D2>To: openldap-software@OpenLDAP.org</FONT>
> <BR><FONT SIZE=3D2>Subject: Forcing use of TLS?</FONT>
> </P>
> <BR>
> 
> <P><FONT SIZE=3D2>Hello...</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>&nbsp;I have TLS set up with slapd and slapd does not =
> allow anonymous searches, and</FONT>
> <BR><FONT SIZE=3D2>instead uses tcp wrappers.</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>&nbsp;But - how can I stop somebody from using a ldap =
> tool (like ldapsearch) on</FONT>
> <BR><FONT SIZE=3D2>a trusted host and passing a clear text password =
> when they use '-W' to</FONT>
> <BR><FONT SIZE=3D2>authenticate with a BIND DN.&nbsp; Using the '-ZZ' =
> option forces TLS, but</FONT>
> <BR><FONT SIZE=3D2>is there a way to tell slapd to not allow ANYTHING =
> unless it comes in with</FONT>
> <BR><FONT SIZE=3D2>TLS?</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>&nbsp;Thanks....</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>-- </FONT>
> <BR><FONT SIZE=3D2>&lt;&gt;&lt;&nbsp; &gt;&lt;&gt; &lt;&gt;&lt;&nbsp; =
> &gt;&lt;&gt; &lt;&gt;&lt;&nbsp; &gt;&lt;&gt; &lt;&gt;&lt;&nbsp; =
> &gt;&lt;&gt; &lt;&gt;&lt;&nbsp; &gt;&lt;&gt; &lt;&gt;&lt;&nbsp; </FONT>
> </P>
> 
> <P><FONT SIZE=3D2>Ken Kleiner</FONT>
> <BR><FONT SIZE=3D2>System Manager</FONT>
> <BR><FONT SIZE=3D2>Computer Science Department</FONT>
> <BR><FONT SIZE=3D2>Umass Lowell</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>voice : 978 934 3645</FONT>
> <BR><FONT SIZE=3D2>fax : 978 934 3551</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>cell : 603 930 5582 (emergencies only, please)</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>ken@cs.uml.edu</FONT>
> </P>
> 
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C20802.0C3B39C0--
> 


-- 
<><  ><> <><  ><> <><  ><> <><  ><> <><  ><> <><  

Ken Kleiner
System Manager
Computer Science Department
Umass Lowell

voice : 978 934 3645
fax : 978 934 3551

cell : 603 930 5582 (emergencies only, please)

ken@cs.uml.edu