[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Re: How to Force TLS/SSL connection Only ?
Hi,Peter and all :-)
>> ################ Begin ###################################
>> TLSCertificateFile /usr/local/etc/openldap/server.crt
>> TLSCertificateKeyFile /usr/local/etc/openldap/server.key
>> TLSCACertificateFile /usr/share/ssl/misc/demoCA/cacert.pem
>> TLSVerifyClient demand
>> ################ End ####################################
>>
>> And in ldap.conf ,add:
>> ################# Begin ###############################
>> TLS_CACERT /usr/share/ssl/misc/demoCA/cacert.pem
>> TLS hard
Now,I marked off the line with "#" to test anonymous' and users' access.
#TLS hard
>With all those TLS lines above you told the server (and the clients)
>how to behave in case of a LDAPS connection and a LDAP connection with
>start_tls, but you did not forbid the server to use unencrypted, anonymous
>connections.
>This is usually done using ACLS in the slapd.conf file.
>(the lines above are no ACLs but SSL configuration options)
Now I don't allow anonymous users to access the server and allow ONLY users with valid certificates to read.
I add a few lines in slapd.conf :
access to * by * none
access to *
by self write
by users read
Is it right or enough?
I still can not reach my goal! :(
It doesn't return any results whatever I search in port 389 or 636 and no error messages return.
>> BTW: What's meaning of the option "-x" in command "ldapsearch" ? "Simple
>> Authentication"? It's different from "Anonymous",but why it need not
>> userid&password ?
>It is "simple authentication" opposed to "SASL authentication".
>Simple authentication needs bindDN (= user) & password.
>Anonymous is "no authentication".
I mean, with the "-x" option,it should be "SimpleAuthentication" access,
but it returns the right results without my inputing any "user&pwd" ,
and just like anonymous style.
Why?
Thanks again.
Zhangfei