[Fedora-directory-users] mandating SSL-only connections

[Richard Megginson]

Susan wrote:

>--- Richard Megginson <rmeggins at redhat.com> wrote:
>
>  
>
>>the openldap ldapsearch -Z does startTLS, which tries to startup a 
>>secure connection using the non-secure port - basically, so you can have 
>>ldap listen only to 389 and have SSL/TLS on that port. So then you may 
>>ask "Ok, that's fine, but how do I disable non-secure connections on 
>>389?" I'm not sure how you can do that at the connection level, but at 
>>the entry level you can set ACIs to allow access only if using SSL/TLS.
>>    
>>
>
>Can you give me an example, please? ldapsearch aside, even though SSL is enabled on the server,
>everything (including the password) is being transmitted clear text -- I can see it in ethereal
>when I try to ssh to an ldap client.
>  
>
If you are using ldapsearch -ZZ:
-Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
you use -ZZ, the command will require the operation to be suc-
cessful.
And if it is successful, the connection should be encrypted from that 
point on, and you should not see any clear text. You can verify this by 
looking at the access log for the directory server - the connection and 
bind information should tell if the startTLS operation was successful.

>
>		
>__________________________________________ 
>Yahoo! DSL – Something to write home about. 
>Just $16.99/mo. or less. 
>dsl.yahoo.com 
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060105/4c0e9167/attachment.bin>