[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: require StartTLS

To: openldap-technical@openldap.org
Subject: Re: require StartTLS
From: Markus Wernig <listener@wernig.net>
Date: Sun, 26 Feb 2012 21:30:23 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wernig.net; s=mail; t=1330288223; bh=iJxW1mI8xln7cXSKDIJ9KBoUV3MCPkhFtXbT9L4XhmI=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=drZ3HXVOuqZZMk55xPzzu675oBFdcvKm/wCwj7tk/1G+kOnYpDhGxJWEFRk0Igigq lDGWFN5A/BKDLcNo1Fyv5TsJUNKZG/sBJkp+TL15kVXeUfLpcTYq6OuuDmRFOQ+jbC /sFjlNooCfB5sipVuTUSkztLymuWgBJw6ZljRgl4=
In-reply-to: <20120226210156.46369bcc@pink.avci.de>
References: <4F4A0E2A.6090201@pocock.com.au> <20120226121513.133ca18d@violet.avci.de> <4F4A19EE.9050901@pocock.com.au> <20120226210156.46369bcc@pink.avci.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2

If you want to disable simple bind (password) etc. without encryption,
you might go along the lines:

security ssf=1 update_ssf=112 simple_bind=112

in slapd.conf


>>> Am Sun, 26 Feb 2012 11:49:14 +0100
>>> schrieb Daniel Pocock <daniel@pocock.com.au>:

>>>> Is there some way to ensure that a client who connects on port 389
>>>> can do nothing without StartTLS?
>>>>
>>>> Or is it necessary to just disable port 389 and only listen for
>>>> ldaps:/// ?

That would be another option, its feasibility depending on your environment.

kind regards /markus

References:
- require StartTLS
  - From: Daniel Pocock <daniel@pocock.com.au>
- Re: require StartTLS
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: require StartTLS
  - From: Daniel Pocock <daniel@pocock.com.au>
- Re: require StartTLS
  - From: Dieter KlÃnter <dieter@dkluenter.de>

Prev by Date: Re: require StartTLS
Next by Date: Re: slapd/slaptest fail with cyrus-sasl-2.1.25
Index(es):
- Chronological
- Thread