Robert Henjes henjes@informatik.uni-wuerzburg.de writes:
Sorry for reopening / reasking the following issue.
I tried to scan through all posts, but this answer seemed to be the closest one to my problem. (We're using OpenLDAP 2.4 on Debian Lenny)
[...]
Situation: For deployment we want to use TLS client certificates, as far as possible, using TLS encryption all the way long.
Problem: Apache Directory Studio, as well as JXplorer do not support (TLS) client certificate verification, what is agreed not to be a topic of openldap. But anyway...
Why do you use this broken clients at all? There are adminstration clients that do support tls and startTLS and most of extend operations.
My proposed solution: * All clients, which support client certificate verification, should directly connect using TLS to the LDAP server. * All clients, esp. the management tools, should establish a ssh-tunnel to the server and connect through localhost entity. * (optional) specific clients should be able to connect via specific access rules (but this is a future topic ;) )
[...]
# Security considerations (TESTING!!!!) # http://www.openldap.org/lists/openldap-software/200409/msg00535.html # access from 127.0.0.1 without encryption access to dn.subtree="dc=example,dc=com" by peername.ip=127.0.0.1 write by * none break # worldwide access requires tls encryption access to dn.subtree="dc=example,dc=com" by ssf=128 write by * none
If your question only is related to unencrypted connection from localhost, why don't you connect via local socket only? That is via ldapi:///
-Dieter