[Fedora-directory-users] enforcing ssl
Rich Megginson
rmeggins at redhat.com
Wed Nov 5 16:19:05 UTC 2008
Graham Seaman wrote:
> Hi,
>
> I'm trying to set up Fedora DS to be accessible only with SSL. My DS
> is on a standalone remote server, with most ports firewalled. If I
> open ports 389 and 636, I can run ldapsearch ok using SSL (the access
> log shows 'SSL connection.. using 256-bit AES') but I can also choose
> not to use SSL and still make queries. If I close port 389, I can't
> connect to the server with or without SSL - I just get
> 'ldap_start_tls: Can't contact LDAP server (-1)'. This is even if I
> explicitly specify port 636, not just relying on the '-Z' flag for
> ldapsearch.
>
> Is it possible to close down non-SSL access? (I am not using the admin
> server, so this needs to be through manual configuration)
No. There is no way to say "connections on port 389 must use
startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all
ldap traffic and rely solely on ldaps (636), but that will not work with
clients that expect startTLS.
>
> Thanks for any advice
>
> Graham
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
More information about the Fedora-directory-users
mailing list