[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: force use of start_tls: how?

To: Andreas Hasenack <ahasenack@terra.com.br>
Subject: Re: force use of start_tls: how?
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Wed, 4 Jul 2007 17:53:24 +0200
Cc: openldap-software@openldap.org
In-reply-to: <20070704144022.GH4688@mandriva.com.br>
References: <20070704144022.GH4688@mandriva.com.br>

Andreas Hasenack writes:
> I'm trying to avoid mistakes and configure a server and/or client to
> force the use of start tls. So, if someone binds to the server and
> accidentally forgets to configure start_tls on the client, the
> connection is rejected.
>
> The problem is that the rejection happens too late: the client
> password was already sent to the server in clear test.

If you want to ensure it on the server side, all you can do is not
listen for ldap:// connections since they start out unencrypted.
ldap:// connections have no initial protocol exchange which the server
can reject.  Instead listen to ldaps://, "LDAP over SSL (aka TLS)".

> I guess what I need is a setting in /etc/openldap/ldap.conf similar to
> the sasl minssf property, but for non-sasl binds. Is there such a thing?
> Something that would behave as if -ZZ was always added to the openldap
> command-line tools.

Yes.

URI		ldaps://fully.qualified.server-hostname/
TLS_CACERT	<file with the CA-certificate which signed the server cert>
TLS_REQCERT	demand

-- 
Regards,
Hallvard

Follow-Ups:
- Re: force use of start_tls: how?
  - From: Andreas Hasenack <ahasenack@terra.com.br>

References:
- force use of start_tls: how?
  - From: Andreas Hasenack <ahasenack@terra.com.br>

Prev by Date: Re: No such object error after converting from 2.0.27 to 2.3.32
Next by Date: Re: force use of start_tls: how?
Index(es):
- Chronological
- Thread