[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to only accept TLS connection on port 389



At 05:32 PM 1/21/2007, Jean-Yves Avenard wrote:
>Is there a way to have OpenLDAP listening on port 389 (standard ldap)
>but only accept tls encrypted session?

You can require TLS (SSL)  via the slapd.conf(5) security directive.
The client can then either use ldap:// (to whatever port(s) you have
configured slapd(8) to listen on) and initiate TLS via
the Start TLS operation or use ldaps:// (to whatever port(s)
you have configured slapd(8) on) and initiate TLS upon
connecting.  If you want to restrict clients to using just the
former or the latter, eliminate one or the other listener.

>I've searched for quite a while and it seems that the only option is
>to disable listening on port 389 alltogether and only listen on port
>636.

While ldap:// uses 389 by default and ldaps:// uses 636 by default,
one can actually use ldap:// or ldaps:// on any port.  

>But this isn't good for my purpose, as some broken clients only work
>over TLS on port 389

ldap:// on port 389 and use of Start TLS operation to initiate
TLS (SSL) is the standard way of securing LDAP with TLS.

Kurt