[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to only accept TLS connection on port 389



>>Is there a way to have OpenLDAP listening on port 389 (standard ldap)
>>but only accept tls encrypted session?
> 
> You can require TLS (SSL)  via the slapd.conf(5) security directive.
> The client can then either use ldap:// (to whatever port(s) you have
> configured slapd(8) to listen on) and initiate TLS via
> the Start TLS operation or use ldaps:// (to whatever port(s)
> you have configured slapd(8) on) and initiate TLS upon
> connecting.  If you want to restrict clients to using just the
> former or the latter, eliminate one or the other listener.
> 
>>I've searched for quite a while and it seems that the only option is
>>to disable listening on port 389 alltogether and only listen on port
>>636.

> While ldap:// uses 389 by default and ldaps:// uses 636 by default,
> one can actually use ldap:// or ldaps:// on any port.  

So the port is independent of the connection type?
The clear text authentication and as well as secured connection can be made on both the ports (389,636) ?
Then what for the port is being used?
I assumed 389 is clear text and 636 is encrypted(ssl/tls) one. 
Can you please make sure this..

>>But this isn't good for my purpose, as some broken clients only work
>>over TLS on port 389
> 
> ldap:// on port 389 and use of Start TLS operation to initiate
> TLS (SSL) is the standard way of securing LDAP with TLS.
> 
> Kurt