[Date Prev][Date Next] [Chronological] [Thread] [Top]

force use of start_tls: how?

To: openldap-software@openldap.org
Subject: force use of start_tls: how?
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Wed, 4 Jul 2007 11:40:23 -0300
Content-disposition: inline
User-agent: Mutt/1.5.16 (2007-06-09)

I'm trying to avoid mistakes and configure a server and/or client to
force the use of start tls. So, if someone binds to the server and
accidentally forgets to configure start_tls on the client, the
connection is rejected.

The problem is that the rejection happens too late: the client password
was already sent to the server in clear test.

So far I have tested using acls (ssf=56) and the global "security"
setting with ssf, simple_bind and transport. In all cases, the
unencrypted access is rejected, but too late: the password was sent.

I guess what I need is a setting in /etc/openldap/ldap.conf similar to
the sasl minssf property, but for non-sasl binds. Is there such a thing?
Something that would behave as if -ZZ was always added to the openldap
command-line tools.

Follow-Ups:
- Re: force use of start_tls: how?
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: No such object error after converting from 2.0.27 to 2.3.32
Next by Date: Re: cmusaslsecretPLAIN attribute
Index(es):
- Chronological
- Thread