[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forcing TLS, but keep working SASL authentication

To: Dan White <dwhite@olp.net>
Subject: Re: Forcing TLS, but keep working SASL authentication
From: Wiebe Cazemier <wiebe@halfgaar.net>
Date: Fri, 4 Jan 2013 13:33:31 +0100 (CET)
Cc: openldap-technical@openldap.org
In-reply-to: <888328900.19009.1357302143643.JavaMail.root@halfgaar.net>
References: <916270750.16916.1356963720126.JavaMail.root@halfgaar.net> <2140823563.16975.1356965823423.JavaMail.root@halfgaar.net> <20121231172128.GF6619@dan.olp.net> <888328900.19009.1357302143643.JavaMail.root@halfgaar.net>
Thread-index: KN4F8cwHbjq14zAgoTYX03IZzJrL/rAu/v8z
Thread-topic: Forcing TLS, but keep working SASL authentication

----- Original Message -----
> From: "Wiebe Cazemier" <wiebe@halfgaar.net>
> To: "Dan White" <dwhite@olp.net>
> Cc: openldap-technical@openldap.org
> Sent: Friday, 4 January, 2013 1:22:23 PM
> Subject: Re: Forcing TLS, but keep working SASL authentication
>
> So even if you set tls=0 on olcDatabase={0}config,cn=config, you need
> that authz-regexp? Because I just set tls=0, and "-Y EXTERNAL" over
> ldapi:/// is now complaining about requiring TLS again.
> 
> Unfortunately, I'm pretty new to LDAP, so I don't know how to define
> that authz-regexp. I don't what a regex is, of course, I just don't
> know what to tell the LDAP server...
> 
> 

As an addendum, I just did this:


dn: olcDatabase={1}hdb,cn=config
changetype:  modify
add: olcSecurity
olcSecurity: tls=1


And that seems to have the desired effect. I can still run commands like:


ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config


But trying to bind with "ldapsearch -xLLL -b ..." without SSL says: "TLS confidentiality required"

References:
- Re: Forcing TLS, but keep working SASL authentication
  - From: Wiebe Cazemier <wiebe@halfgaar.net>

Prev by Date: Re: Forcing TLS, but keep working SASL authentication
Next by Date: About TLS - ldaps search
Index(es):
- Chronological
- Thread