[Fedora-directory-users] enforcing ssl
Rich Megginson
rmeggins at redhat.com
Thu Nov 6 14:30:04 UTC 2008
Graham Seaman wrote:
> Rich Megginson wrote:
>> Graham Seaman wrote:
>>> Is it possible to close down non-SSL access? (I am not using the
>>> admin server, so this needs to be through manual configuration)
>> No. There is no way to say "connections on port 389 must use
>> startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all
>> ldap traffic and rely solely on ldaps (636), but that will not work
>> with clients that expect startTLS.
>
> I seem to be misunderstanding the general security model around ldap
> directory connections. I read in the wikipedia article on ldap that
> use of both ldaps and port 663 are deprecated.
That is correct - however, there are many, many clients that still
support ldaps, many of which also do not support startTLS.
> Are there any pages on the Fedora DS wiki or elsewhere that describe
> good practice for safe connections?
It really depends on the client. If the client supports startTLS, I
encourage you to use it.
>
> Graham
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
More information about the Fedora-directory-users
mailing list