directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DIRSERVER-639) allow to run ldaps only
Date Fri, 09 Jun 2006 05:17:30 GMT
    [ http://issues.apache.org/jira/browse/DIRSERVER-639?page=comments#action_12415483 ] 

Emmanuel Lecharny commented on DIRSERVER-639:
---------------------------------------------

Ok, get it !

There is something that bug me : the server is supposed to start on 10389, not 389, with default
configuration, no? 

Ok then, whatever. That's true that we don't have an option to start the server on SSL only.
We can add one in a future release, that's not very difficult. But to me, it seems to be much
more a firewall setting than anything else, isn't it? If you forbid incomming request to port
xx389 in your firewall, it should be ok (at least, this is an option while waiting for a new
version of ADS which will be SSL enabled only).

Second point, if you are running ADS in a Un*x box, then you have many choice, but do not
run it as root. Even if using port 389, use a SUDO to launch the server, which should run
using a special user (ldap, group ldap, for instance). If you choose to run on a port above
1024, you can launch ADS without using SUDO. You can also chroot the whole ADS for security
reason. But never ever launch the server as root ! If this is not clear, we can add a page
on confluence to help guys with such questions, because these are really important questions.

> allow to run ldaps only
> -----------------------
>
>          Key: DIRSERVER-639
>          URL: http://issues.apache.org/jira/browse/DIRSERVER-639
>      Project: Directory ApacheDS
>         Type: Improvement

>   Components: ldap
>  Environment: all
>     Reporter: Ralf Hauser

>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
>    cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started
as root...
> How can I avoid just
>   cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message