[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Refusing connections when START_TLS is not sent



On Wed, Dec 10, 2003 at 05:26:34PM +0100, Pierre Moermans wrote:
> Now, I would like to refuse PLAIN text communication when the START_TLS
> command is not sent by the client. I've been googling for a while with
> no success.
> Does anybody know how to do that ?

I think a way to do that would be to restrict access to the userPassword
attribute if the ssf is zero (I assume you are using simple bind, and not sasl plain text
mechanisms).

Something like: (untested)
access to attr=userPassword
	by ssf=128 self write
	by ssf=128 anonymous auth
	by * none

If using sasl plaintext mechanisms, take a look at the sasl-secprops slapd.conf(5)
directive, there you can play with ssf too.