Andreas Hasenack writes:
I'm trying to avoid mistakes and configure a server and/or client to force the use of start tls. So, if someone binds to the server and accidentally forgets to configure start_tls on the client, the connection is rejected.
The problem is that the rejection happens too late: the client password was already sent to the server in clear test.
If you want to ensure it on the server side, all you can do is not listen for ldap:// connections since they start out unencrypted. ldap:// connections have no initial protocol exchange which the server can reject. Instead listen to ldaps://, "LDAP over SSL (aka TLS)".
I guess what I need is a setting in /etc/openldap/ldap.conf similar to the sasl minssf property, but for non-sasl binds. Is there such a thing? Something that would behave as if -ZZ was always added to the openldap command-line tools.
Yes.
URI ldaps://fully.qualified.server-hostname/ TLS_CACERT <file with the CA-certificate which signed the server cert> TLS_REQCERT demand