[Fedora-directory-users] Setting up clients for ssl only?

Richard Megginson rmeggins at redhat.com
Mon Sep 17 14:09:06 UTC 2007 

Steven Jones wrote:
> 8><----
>
> Uh.....this means not a thing....where and how is it set? 
>
> On the server? Client? Ie What and where is dse.ldif?
>   
Sorry, I assumed a level of familiarity with the product that I should 
not have.

The file /opt/fedora-ds/slapd-instance/config/dse.ldif is the main 
server configuration file.  This file is in LDIF format.  The 
configuration is broken up into LDIF/LDAP entries.  Each entry begins 
with a line like this:
dn: <entry DN>
Where <entry DN> is the distinguished name (DN) of the configuration 
entry.  Each entry ends with a blank line (e.g. in perl this matches 
/^$/).  The main configuration entry is cn=config - it begins in the 
file dse.ldif with the line
dn: cn=config
In this entry is an attribute named nsslapd-port which by default has a 
value of 389 e.g.
nsslapd-port: 389
Some default values are not written to dse.ldif.  This one might not be, 
not sure.

If you set this value to 0, the server will not listen for non-secure 
connections.  In order to change this value, you must first shutdown the 
server.  Then, using a text editor, edit the file, and change 389 to 0.  
If the attribute is not present in the entry, add it as the last line in 
the entry - make sure there are no empty lines before this one, and make 
sure there is a single empty line after it, before the start of the next 
entry.

Finally, I'll note that in one of your previous configurations that you 
posted, you have set it to use start_tls.  If you want to use LDAP 
startTLS, _you must use the non-secure LDAP port_.  Which means you 
cannot set it to 0.  Fedora DS currently has no way to force all 
connections to first use the startTLS command.  So if you use startTLS, 
there is no way to force all connections to use TLS/SSL.
>   
>> Steven Jones wrote:
>> Is there a way to force clients to only connect via ssl?
>>   
>>     
> You can set the nsslapd-port attribute in cn=config in dse.ldif to 0.
>
> 8><----
>
> regards
>
> Steven 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070917/51644df2/attachment.bin>

More information about the Fedora-directory-users mailing list