directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ogg <...@sr375.com>
Subject Re: StartTLS enforced
Date Thu, 25 Feb 2016 16:59:15 GMT
I also would be interested in the feature. It, would also be interesting to deprecate TLS 1.0,
TLS 1.1  and SSL any flavor.

> On Feb 25, 2016, at 8:56 AM, Emmanuel Lécharny <elecharny@gmail.com> wrote:
> 
> Le 25/02/16 16:33, s_humbi a écrit :
>> Hello,does anybody know, if there is a way to force the ldap-client to use StartTLS
? I dont wont to offer our ldap-clients an unsecure way to talk with our LDAP-Server.
>> Yes I can disable the default-Port 389 and only enable the SSL-Port 636.But there
is written in the DS documentation: " **LDAPS** is considered as deprecated. You should always
favor startTLS instead. "
>> And I also need the port 389 (with StartTLS) for replication, so i can not disable
it.
>> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But the users can
still connect without TLS.
>> I found this interesting paper:
>> http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf--> see
Caption caption:  "The correct and standard approach is to start LDAP without encryption and
then negotiate the TLS security layer. If necessary, the server can be configured to refuse
all operations other than 'Start TLS' until TLS is in place"
>> 
>> Is this possible with Apache DS ?
>> Many Thanks for helping ...Humbi
>> 
>> 
>> 
>> 
> No, sorry, we can't enforce that atm. At least, here is no way to do
> that through configuration.
> 
> And yes, this is missing. In OpenLDAP, you can enforce TLS through some
> parameter, and I think that would be a good addition to ApacheDS.
> Would you fancy creating a JIRA with such a demand ?
> 
> Thanks !


Mime
View raw message