directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf Hauser (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DIRSERVER-639) allow to run ldaps only
Date Fri, 09 Jun 2006 03:21:30 GMT
    [ http://issues.apache.org/jira/browse/DIRSERVER-639?page=comments#action_12415473 ] 

Ralf Hauser commented on DIRSERVER-639:
---------------------------------------

There are the following issues:
- nobody shall be able to send (query info, userid/password) nor retrieve information from
our ldap server without protecting that with SSL/TLS
- by not setting cfg.setLdapPort() I hoped that unprotected ldap would not start at all, but
it did start and simply took the default 389 port
- this caused the problem that I do not run the ldap server under root, so it could not bind
to that socket

So there are two goals:
1) run the server in an ldapS config only, i.e. no listener (on port 389 or any other) shall
honor non-protected ldap
2) run the server as non-root

Please let me know if there are questions to these goals.

P.S.: One idea was just if it is mandatory to also start an ldap during booting of the server,
would it be possible to immediately after completing the start shut down the ldap and only
keep the ldaps running

> allow to run ldaps only
> -----------------------
>
>          Key: DIRSERVER-639
>          URL: http://issues.apache.org/jira/browse/DIRSERVER-639
>      Project: Directory ApacheDS
>         Type: Improvement

>   Components: ldap
>  Environment: all
>     Reporter: Ralf Hauser

>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
>    cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started
as root...
> How can I avoid just
>   cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message