Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BBB331864D for ; Thu, 25 Feb 2016 16:59:28 +0000 (UTC) Received: (qmail 69901 invoked by uid 500); 25 Feb 2016 16:59:28 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 69859 invoked by uid 500); 25 Feb 2016 16:59:28 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 69836 invoked by uid 99); 25 Feb 2016 16:59:28 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Feb 2016 16:59:28 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id B9D70C093B for ; Thu, 25 Feb 2016 16:59:27 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.979 X-Spam-Level: * X-Spam-Status: No, score=1.979 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, TVD_FROM_1=0.999] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 2R62GBY1WsVh for ; Thu, 25 Feb 2016 16:59:26 +0000 (UTC) Received: from mta4-3.ox.privateemail.com (mta4-3.ox.privateemail.com [198.187.29.245]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 6D3305FAC9 for ; Thu, 25 Feb 2016 16:59:26 +0000 (UTC) Received: from [10.177.238.46] (qf-scl1wlannat.qualcomm.com [207.114.132.29]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mta4.ox.privateemail.com (Postfix) with ESMTPSA id 40FEE88010A for ; Thu, 25 Feb 2016 11:59:19 -0500 (EST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) Subject: Re: StartTLS enforced From: Ogg In-Reply-To: <56CF322C.2050603@gmail.com> Date: Thu, 25 Feb 2016 08:59:15 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <9FF94D07-1B62-4254-BA9E-530CFC20BB7A@sr375.com> References: <678353651.15690933.1456414417251.JavaMail.yahoo.ref@mail.yahoo.com> <678353651.15690933.1456414417251.JavaMail.yahoo@mail.yahoo.com> <56CF322C.2050603@gmail.com> To: users@directory.apache.org X-Mailer: Apple Mail (2.3112) I also would be interested in the feature. It, would also be interesting = to deprecate TLS 1.0, TLS 1.1 and SSL any flavor. > On Feb 25, 2016, at 8:56 AM, Emmanuel L=C3=A9charny = wrote: >=20 > Le 25/02/16 16:33, s_humbi a =C3=A9crit : >> Hello,does anybody know, if there is a way to force the ldap-client = to use StartTLS ? I dont wont to offer our ldap-clients an unsecure way = to talk with our LDAP-Server. >> Yes I can disable the default-Port 389 and only enable the SSL-Port = 636.But there is written in the DS documentation: " **LDAPS** is = considered as deprecated. You should always favor startTLS instead. " >> And I also need the port 389 (with StartTLS) for replication, so i = can not disable it. >> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But = the users can still connect without TLS. >> I found this interesting paper: >> = http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf--> = see Caption caption: "The correct and standard approach is to start = LDAP without encryption and then negotiate the TLS security layer. If = necessary, the server can be configured to refuse all operations other = than 'Start TLS' until TLS is in place" >>=20 >> Is this possible with Apache DS ? >> Many Thanks for helping ...Humbi >>=20 >>=20 >>=20 >>=20 > No, sorry, we can't enforce that atm. At least, here is no way to do > that through configuration. >=20 > And yes, this is missing. In OpenLDAP, you can enforce TLS through = some > parameter, and I think that would be a good addition to ApacheDS. > Would you fancy creating a JIRA with such a demand ? >=20 > Thanks !