directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: StartTLS enforced
Date Fri, 26 Feb 2016 04:28:16 GMT
On Thu, Feb 25, 2016 at 10:26 PM, Emmanuel Lécharny <elecharny@gmail.com>
wrote:

> Le 25/02/16 16:33, s_humbi a écrit :
> > Hello,does anybody know, if there is a way to force the ldap-client to
> use StartTLS ? I dont wont to offer our ldap-clients an unsecure way to
> talk with our LDAP-Server.
> > Yes I can disable the default-Port 389 and only enable the SSL-Port
> 636.But there is written in the DS documentation: " **LDAPS** is considered
> as deprecated. You should always favor startTLS instead. "
> > And I also need the port 389 (with StartTLS) for replication, so i can
> not disable it.
> > At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But
> the users can still connect without TLS.
> > I found this interesting paper:
> > http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf-->
> see Caption caption:  "The correct and standard approach is to start LDAP
> without encryption and then negotiate the TLS security layer. If necessary,
> the server can be configured to refuse all operations other than 'Start
> TLS' until TLS is in place"
> >
> > Is this possible with Apache DS ?
> > Many Thanks for helping ...Humbi
> >
> >
> >
> >
> No, sorry, we can't enforce that atm. At least, here is no way to do
> that through configuration.
>
> Actually we can, through configuration (I understand, it is very rarely
used, so hard to remember ;)

Setting the value of attribute ads-confidentialityRequired to TRUE and
restart the server,
This will force the user to use a secure connection using StartTLS.

This attribute is present in the entry -
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config

And yes, this is missing. In OpenLDAP, you can enforce TLS through some
> parameter, and I think that would be a good addition to ApacheDS.
> Would you fancy creating a JIRA with such a demand ?
>
> Thanks !
>
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message