[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Forcing TLS encryption
Am Mon, 24 Dec 2012 10:14:39 +0100 (CET)
schrieb Wiebe Cazemier <wiebe@halfgaar.net>:
> ----- Original Message -----
> > From: "Chuck Lever" <chuck.lever@oracle.com>
> > To: "Wiebe Cazemier" <wiebe@halfgaar.net>
> > Cc: openldap-technical@openldap.org
> > Sent: Friday, 21 December, 2012 4:39:21 PM
> > Subject: Re: Forcing TLS encryption
> >
> > ...
> >
> > I added an olcSecurity attribute to the database directives for the
> > parts of the server's DIT where I wish to require TLS. To start
> > with I set the value "tls=1".
> >
> > See also:
> >
> > http://itsecureadmin.com/tag/openldap/
> >
> > --
> > Chuck Lever
> > chuck[dot]lever[at]oracle[dot]com
> >
>
> I got it to work (connection won't be allowed without TLS), but I can
> still capture the password with tcpdump. To elaborate:
>
> I successfully set tls=1 with:
>
>
> dn: cn=config
> changetype: modify
> add: olcSecurity
> olcSecurity: tls=1
>
>
> When I do an ldapsearch now, it says TLS is required:
>
>
> $ ldapsearch ldapsearch -Hldap://myhost:389
> -D"uid=user,ou=people,dc=domain,dc=com" -W Enter LDAP Password:
> ldap_bind: Confidentiality required (13)
> additional info: TLS confidentiality required
In order to initiate Transport Layer Security you have to call the
extended operation ldapSTARTTLS.
-Dieter
--
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E