directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: StartTLS enforced
Date Fri, 26 Feb 2016 04:33:06 GMT
On Fri, Feb 26, 2016 at 3:23 AM, Stefan Seelmann <mail@stefan-seelmann.de>
wrote:

> On 02/25/2016 05:56 PM, Emmanuel Lécharny wrote:
> > Le 25/02/16 16:33, s_humbi a écrit :
> >> Hello,does anybody know, if there is a way to force the ldap-client to
> use StartTLS ? I dont wont to offer our ldap-clients an unsecure way to
> talk with our LDAP-Server.
> >> Yes I can disable the default-Port 389 and only enable the SSL-Port
> 636.But there is written in the DS documentation: " **LDAPS** is considered
> as deprecated. You should always favor startTLS instead. "
> >> And I also need the port 389 (with StartTLS) for replication, so i can
> not disable it.
> >> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But
> the users can still connect without TLS.
> >> I found this interesting paper:
> >>
> http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf-->
> see Caption caption:  "The correct and standard approach is to start LDAP
> without encryption and then negotiate the TLS security layer. If necessary,
> the server can be configured to refuse all operations other than 'Start
> TLS' until TLS is in place"
> >>
> > No, sorry, we can't enforce that atm. At least, here is no way to do
> > that through configuration.
> >
> > And yes, this is missing. In OpenLDAP, you can enforce TLS through some
> > parameter, and I think that would be a good addition to ApacheDS.
> > Would you fancy creating a JIRA with such a demand ?
>
> But that cannot prevent the client from sending a request, e.g. a simple
> bind with plain text password, right? Even if the server then refuses
>
just like with any network client, it is still possible, unless client does
some negotiation with server prior to sending a bind request

> the operation, the password was sent over the wire. Would it then be
> appropriate to lock the account automatically?
>
> the server just rejects the request even before looking into it, IMO the
server shouldn't
do anything other than rejecting the request.

> Kind Regards,
> Stefan
>
> Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message