[389-devel] [PATCH] Add require secure binds switch.
Nathan Kinder
nkinder at redhat.com
Tue May 26 21:48:26 UTC 2009
Nathan Kinder wrote:
> Andrey Ivanov wrote:
>>
>> Does it mean that when "nsslapd-require-secure-binds" is "on" then
>> even the anonymous binds should be made by SSL? Maybe there is some
>> sense in leaving a possibility to have anonymous binds non-SSL and
>> frocing non-anonymous ones to be secure?
> Sorry for the late response, but I was on vacation the last week.
>
> The current patch does force all simple binds, including anonymous, to
> use a secure connection. I can see value in allowing anonymous simple
> binds over an unencrypted connection, as the main reason for this new
> setting is to prevent clear text transmission of passwords. I will
> revise the patch to ignore anonymous binds when
> nsslapd-require-secure-binds is on unless anyone else has arguments
> otherwise.
A new patch with the above change is attached.
>
> There are a number of other security related configuration settings
> that I plan to add soon, which will provide other ways of dealing with
> restricting anonymous operations. One of these features are a switch
> to disable any anonymous operations completely. Another is to have a
> minimum SSF setting on the server. The only operation we would allow
> after first connecting over plain LDAP would be startTLS. If the SSF
> then meets the minimum requirement, other operations would be allowed.
>>
>> 2009/5/15 Rich Megginson <rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>>
>>
>> Nathan Kinder wrote:
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-devel mailing list
>> Fedora-directory-devel at redhat.com
>> <mailto:Fedora-directory-devel at redhat.com>
>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>>
>> Looks good.
>>
>> --
>> Fedora-directory-devel mailing list
>> Fedora-directory-devel at redhat.com
>> <mailto:Fedora-directory-devel at redhat.com>
>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-devel mailing list
>> Fedora-directory-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>>
>
> --
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Add-require-secure-binds-switch.patch
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20090526/75231329/attachment.ksh>
More information about the Fedora-directory-devel
mailing list