[389-devel] [PATCH] Add require secure binds switch.

Nathan Kinder nkinder at redhat.com
Tue May 26 21:48:26 UTC 2009 

Nathan Kinder wrote:
> Andrey Ivanov wrote:
>>
>> Does it mean that when "nsslapd-require-secure-binds" is "on" then 
>> even the anonymous binds should be made by SSL? Maybe there is some 
>> sense in leaving a possibility to have anonymous binds non-SSL and 
>> frocing non-anonymous ones to be secure?
> Sorry for the late response, but I was on vacation the last week.
>
> The current patch does force all simple binds, including anonymous, to 
> use a secure connection.  I can see value in allowing anonymous simple 
> binds over an unencrypted connection, as the main reason for this new 
> setting is to prevent clear text transmission of passwords.  I will 
> revise the patch to ignore anonymous binds when 
> nsslapd-require-secure-binds is on unless anyone else has arguments 
> otherwise.
A new patch with the above change is attached.
>
> There are a number of other security related configuration settings 
> that I plan to add soon, which will provide other ways of dealing with 
> restricting anonymous operations.  One of these features are a switch 
> to disable any anonymous operations completely.  Another is to have a 
> minimum SSF setting on the server.  The only operation we would allow 
> after first connecting over plain LDAP would be startTLS.  If the SSF 
> then meets the minimum requirement, other operations would be allowed.
>>
>> 2009/5/15 Rich Megginson <rmeggins at redhat.com 
>> <mailto:rmeggins at redhat.com>>
>>
>>     Nathan Kinder wrote:
>>
>>
>>         
>> ------------------------------------------------------------------------
>>
>>         --
>>         Fedora-directory-devel mailing list
>>         Fedora-directory-devel at redhat.com
>>         <mailto:Fedora-directory-devel at redhat.com>
>>         https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>>
>>     Looks good.
>>
>>     --
>>     Fedora-directory-devel mailing list
>>     Fedora-directory-devel at redhat.com
>>     <mailto:Fedora-directory-devel at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>>
>>
>> ------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-devel mailing list
>> Fedora-directory-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>>   
>
> -- 
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Add-require-secure-binds-switch.patch
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20090526/75231329/attachment.ksh>

More information about the Fedora-directory-devel mailing list