At 05:32 PM 1/21/2007, Jean-Yves Avenard wrote:
Is there a way to have OpenLDAP listening on port 389 (standard ldap) but only accept tls encrypted session?
You can require TLS (SSL) via the slapd.conf(5) security directive. The client can then either use ldap:// (to whatever port(s) you have configured slapd(8) to listen on) and initiate TLS via the Start TLS operation or use ldaps:// (to whatever port(s) you have configured slapd(8) on) and initiate TLS upon connecting. If you want to restrict clients to using just the former or the latter, eliminate one or the other listener.
I've searched for quite a while and it seems that the only option is to disable listening on port 389 alltogether and only listen on port 636.
While ldap:// uses 389 by default and ldaps:// uses 636 by default, one can actually use ldap:// or ldaps:// on any port.
But this isn't good for my purpose, as some broken clients only work over TLS on port 389
ldap:// on port 389 and use of Start TLS operation to initiate TLS (SSL) is the standard way of securing LDAP with TLS.
Kurt