[389-devel] [PATCH] Add require secure binds switch.

Nathan Kinder nkinder at redhat.com
Tue May 26 20:44:25 UTC 2009 

Andrey Ivanov wrote:
>
> Does it mean that when "nsslapd-require-secure-binds" is "on" then 
> even the anonymous binds should be made by SSL? Maybe there is some 
> sense in leaving a possibility to have anonymous binds non-SSL and 
> frocing non-anonymous ones to be secure?
Sorry for the late response, but I was on vacation the last week.

The current patch does force all simple binds, including anonymous, to 
use a secure connection.  I can see value in allowing anonymous simple 
binds over an unencrypted connection, as the main reason for this new 
setting is to prevent clear text transmission of passwords.  I will 
revise the patch to ignore anonymous binds when 
nsslapd-require-secure-binds is on unless anyone else has arguments 
otherwise.

There are a number of other security related configuration settings that 
I plan to add soon, which will provide other ways of dealing with 
restricting anonymous operations.  One of these features are a switch to 
disable any anonymous operations completely.  Another is to have a 
minimum SSF setting on the server.  The only operation we would allow 
after first connecting over plain LDAP would be startTLS.  If the SSF 
then meets the minimum requirement, other operations would be allowed.
>
> 2009/5/15 Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>>
>
>     Nathan Kinder wrote:
>
>
>         ------------------------------------------------------------------------
>
>         --
>         Fedora-directory-devel mailing list
>         Fedora-directory-devel at redhat.com
>         <mailto:Fedora-directory-devel at redhat.com>
>         https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>
>     Looks good.
>
>     --
>     Fedora-directory-devel mailing list
>     Fedora-directory-devel at redhat.com
>     <mailto:Fedora-directory-devel at redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>

More information about the Fedora-directory-devel mailing list