Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6198E186CA for ; Thu, 25 Feb 2016 23:56:14 +0000 (UTC) Received: (qmail 29985 invoked by uid 500); 25 Feb 2016 23:56:14 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 29942 invoked by uid 500); 25 Feb 2016 23:56:14 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 29930 invoked by uid 99); 25 Feb 2016 23:56:13 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Feb 2016 23:56:13 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 53EC2C0A41 for ; Thu, 25 Feb 2016 23:56:13 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.102 X-Spam-Level: X-Spam-Status: No, score=-0.102 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx2-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id zj61TzcEHsNR for ; Thu, 25 Feb 2016 23:56:12 +0000 (UTC) Received: from mail-pf0-f173.google.com (mail-pf0-f173.google.com [209.85.192.173]) by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS id 250685F1EF for ; Thu, 25 Feb 2016 23:56:12 +0000 (UTC) Received: by mail-pf0-f173.google.com with SMTP id x65so41218167pfb.1 for ; Thu, 25 Feb 2016 15:56:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=izU78i1quxlkSPQGgUdHlpgXghgrmzT0WX/xmcgrREM=; b=RYwFlgcssLiLzeKRtjrPcJy+GBDaZFyHZMa68LBaDLWblds+GLFpBkOERMaSUD/KLs ApO+HbMoEN6mXJQYeZdwTSe0akfRf3cw1NktFNjwcV5J5fMbxFnw3Dlw0j9ErGmxTTtN 84R0x+dOhf30nNwVr6khVt3jwUkekyH2WUYmm7PAMKC6E1MkR8+u7786QbJXep0W0BGe +bnty33qBPcM9fvmiTt2U5kJWUdbprt2EZX9x59WkrOW8673xyMxtCkC/tzIYOTmdpMz WrmoD0MooXBTIA6TXdlrLoKrTyGKSABRKqdwf71YEUJwz4rpSCmKTvUEKewx4zaymyXp z5iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=izU78i1quxlkSPQGgUdHlpgXghgrmzT0WX/xmcgrREM=; b=SjqgmEASU5N8EL29mo0noQ74T+QdUVMffEP0fja1rH6cDPezoviEC/Fk2IBKNM/y80 BGLFkbsId6GGpuVlDjzZYcziE8GVVqBBl9qMQeODPCBm8K4iLpieBvSTbGsJLfjWq4h5 59UXkJC4bpTj3t57uJwzuY/g6m4T9p5RzHLeYjV46pp86saR4jYuAhYcyBLfRw7Ww2Ga Djwx+2Q2aUuA+4YjDmProjFl19TloWOJ5on3dNm1C//XsxfBz6zzmijyqKkPDRtGvasI 6fpXti+tYLdXEbWDZV2/RIOCgn37wsKCoLPKEHhCcY977jRwPeI7SQx1XJQcTUqAf0kV Motw== X-Gm-Message-State: AG10YOSdxlhBFNOgfSTce+o8QkfrYsK35WGZpig23gmeUmbt2SaQZuaVicNzVUGXEqavAg== X-Received: by 10.98.10.139 with SMTP id 11mr67222489pfk.87.1456444571194; Thu, 25 Feb 2016 15:56:11 -0800 (PST) Received: from ?IPv6:2a01:cb04:7f:4400:98b5:7dd3:a5ac:180d? (2a01cb04007f440098b57dd3a5ac180d.ipv6.abo.wanadoo.fr. [2a01:cb04:7f:4400:98b5:7dd3:a5ac:180d]) by smtp.googlemail.com with ESMTPSA id 144sm14601241pfa.83.2016.02.25.15.56.10 for (version=TLSv1/SSLv3 cipher=OTHER); Thu, 25 Feb 2016 15:56:10 -0800 (PST) Subject: Re: StartTLS enforced To: users@directory.apache.org References: <678353651.15690933.1456414417251.JavaMail.yahoo.ref@mail.yahoo.com> <678353651.15690933.1456414417251.JavaMail.yahoo@mail.yahoo.com> <56CF322C.2050603@gmail.com> <56CF77C4.1030302@stefan-seelmann.de> From: =?UTF-8?Q?Emmanuel_L=c3=a9charny?= X-Enigmail-Draft-Status: N1110 Message-ID: <56CF9498.2060800@gmail.com> Date: Fri, 26 Feb 2016 00:56:08 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <56CF77C4.1030302@stefan-seelmann.de> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Le 25/02/16 22:53, Stefan Seelmann a =C3=A9crit : > On 02/25/2016 05:56 PM, Emmanuel L=C3=A9charny wrote: >> Le 25/02/16 16:33, s_humbi a =C3=A9crit : >>> Hello,does anybody know, if there is a way to force the ldap-client t= o use StartTLS ? I dont wont to offer our ldap-clients an unsecure way to= talk with our LDAP-Server. >>> Yes I can disable the default-Port 389 and only enable the SSL-Port 6= 36.But there is written in the DS documentation: " **LDAPS** is considere= d as deprecated. You should always favor startTLS instead. " >>> And I also need the port 389 (with StartTLS) for replication, so i ca= n not disable it. >>> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But= the users can still connect without TLS. >>> I found this interesting paper: >>> http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pd= f--> see Caption caption: "The correct and standard approach is to start= LDAP without encryption and then negotiate the TLS security layer. If ne= cessary, the server can be configured to refuse all operations other than= 'Start TLS' until TLS is in place" >>> >> No, sorry, we can't enforce that atm. At least, here is no way to do >> that through configuration. >> >> And yes, this is missing. In OpenLDAP, you can enforce TLS through som= e >> parameter, and I think that would be a good addition to ApacheDS. >> Would you fancy creating a JIRA with such a demand ? > But that cannot prevent the client from sending a request, e.g. a simpl= e > bind with plain text password, right?=20 It will. Check on http://www.openldap.org/doc/admin24/security.html, par.14.2.1. Setting the 'security' parameter to a value > 1 will reject any non-encrypted connection. > Even if the server then refuses > the operation, the password was sent over the wire. Would it then be > appropriate to lock the account automatically? You won't be able to send a request in clear text, AFAIU.