directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <>
Subject Re: StartTLS enforced
Date Fri, 26 Feb 2016 04:33:06 GMT
On Fri, Feb 26, 2016 at 3:23 AM, Stefan Seelmann <>

> On 02/25/2016 05:56 PM, Emmanuel Lécharny wrote:
> > Le 25/02/16 16:33, s_humbi a écrit :
> >> Hello,does anybody know, if there is a way to force the ldap-client to
> use StartTLS ? I dont wont to offer our ldap-clients an unsecure way to
> talk with our LDAP-Server.
> >> Yes I can disable the default-Port 389 and only enable the SSL-Port
> 636.But there is written in the DS documentation: " **LDAPS** is considered
> as deprecated. You should always favor startTLS instead. "
> >> And I also need the port 389 (with StartTLS) for replication, so i can
> not disable it.
> >> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But
> the users can still connect without TLS.
> >> I found this interesting paper:
> >>
> see Caption caption:  "The correct and standard approach is to start LDAP
> without encryption and then negotiate the TLS security layer. If necessary,
> the server can be configured to refuse all operations other than 'Start
> TLS' until TLS is in place"
> >>
> > No, sorry, we can't enforce that atm. At least, here is no way to do
> > that through configuration.
> >
> > And yes, this is missing. In OpenLDAP, you can enforce TLS through some
> > parameter, and I think that would be a good addition to ApacheDS.
> > Would you fancy creating a JIRA with such a demand ?
> But that cannot prevent the client from sending a request, e.g. a simple
> bind with plain text password, right? Even if the server then refuses
just like with any network client, it is still possible, unless client does
some negotiation with server prior to sending a bind request

> the operation, the password was sent over the wire. Would it then be
> appropriate to lock the account automatically?
> the server just rejects the request even before looking into it, IMO the
server shouldn't
do anything other than rejecting the request.

> Kind Regards,
> Stefan
> Kiran Ayyagari

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message