[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: require StartTLS

To: Daniel Pocock <daniel@pocock.com.au>
Subject: Re: require StartTLS
From: Josh Miller <joshua@itsecureadmin.com>
Date: Sun, 26 Feb 2012 09:27:17 -0800
Cc: openldap-technical@openldap.org
In-reply-to: <4F4A0E2A.6090201@pocock.com.au>
References: <4F4A0E2A.6090201@pocock.com.au>

Look at the options for setting ssf (Security Strength Factors):

http://www.openldap.org/doc/admin24/access-control.html#Granting%20and%20Denying%20access%20based%20on%20security%20strength%20factors%20(ssf)

I typically setup a global minssf of 256 to ensure maximum security, when possible via the 'security minssf=256'.

re:  man slapd.conf

HTH,

Joshua Miller
ITSA Consulting, LLC
http://itsecureadmin.com/

On Feb 26, 2012, at 2:49 AM, Daniel Pocock wrote:

> 
> 
> 
> Is there some way to ensure that a client who connects on port 389 can
> do nothing without StartTLS?
> 
> Or is it necessary to just disable port 389 and only listen for ldaps:/// ?
> 
>

References:
- require StartTLS
  - From: Daniel Pocock <daniel@pocock.com.au>

Prev by Date: Re: require StartTLS
Next by Date: slapd/slaptest fail with cyrus-sasl-2.1.25
Index(es):
- Chronological
- Thread