directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s_humbi <s_hu...@yahoo.com.INVALID>
Subject StartTLS enforced
Date Thu, 25 Feb 2016 15:33:37 GMT
Hello,does anybody know, if there is a way to force the ldap-client to use StartTLS ? I dont
wont to offer our ldap-clients an unsecure way to talk with our LDAP-Server.
Yes I can disable the default-Port 389 and only enable the SSL-Port 636.But there is written
in the DS documentation: " **LDAPS** is considered as deprecated. You should always favor
startTLS instead. "
And I also need the port 389 (with StartTLS) for replication, so i can not disable it.
At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But the users can still
connect without TLS.
I found this interesting paper:
http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf--> see Caption caption: 
"The correct and standard approach is to start LDAP without encryption and then negotiate
the TLS security layer. If necessary, the server can be configured to refuse all operations
other than 'Start TLS' until TLS is in place"

Is this possible with Apache DS ?
Many Thanks for helping ...Humbi




Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message