directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Beat Burgener | NetSuccess GmbH <beat.burge...@netsuccess.ch>
Subject Re: [ApacheDS] Ceritficate for StartTLS
Date Wed, 06 Jan 2010 16:00:37 GMT
Steven,

thank you for pointing this out.

@Stefan/Emmanuel

What would be the equivalent for the configuration file?

I assume that the client would try to send the username before the 
password, and if that fails,
it will hopefully not ignore that fact and will not send the password ...

;-)

Regards

Beat

On 06.01.2010 16:16 PM, Hammond, Steven wrote:
> I use ApacheDS embedded instead of the config file.  But to force startTLS I have:
> 	         apacheds = new LdapServer();
> 	         apacheds.setConfidentialityRequired(true);
>
> When a client is connected unencrypted, the only command allowed is startTLS, all others
are rejected.
>
> -----Original Message-----
> From: Linus van Geuns [mailto:linus@vangeuns.name]
> Sent: Wednesday, January 06, 2010 7:48 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] Ceritficate for StartTLS
>
> Hi!
>
> On Wed, Jan 6, 2010 at 3:26 PM, Beat Burgener | NetSuccess GmbH
> <beat.burgener@netsuccess.ch>  wrote:
> [..]
>    
>> BTW3: Is there a way to force StartTLS an LDAP connection using port 389 via
>> the ApacheDS configuration?
>> That's why I use LDAPS, which does not support plain text connections AFAIK.
>> For LDAP, I don't feel in the position to control that
>> as the client use StartTLS or not ...
>>      
> AFAIK it is valid LDAP protocol behavior for a client to just connect
> to the server using plain text simple bind and thereby sending
> passwords in clear text to your server.
> The server could reject that request, but the client is not forced to
> look up server policies before it's first request.
>
> Therefore you need to ensure that your clients are configured to use StartTLS.
>
> Regards, Linus
>    

Mime
View raw message