--On Monday, January 22, 2007 4:42 PM +1100 Jean-Yves Avenard jyavenard@gmail.com wrote:
Hi
On 1/22/07, Kurt D. Zeilenga Kurt@openldap.org wrote:
You might ask on a list supporting the particular client you are using how to configure this client to secure LDAP with TLS (SSL).
You previous post actually help me identify the issue with this client, and I can get it to work now. The problem was (as you suggested) that even though it was using port 636, it would issue a Start TLS call, which on an SSL connection isn't going to work. I've raised a bug with the supplier on this matter.
Using port 636 (SSL) was an LDAP V2 hack, and was never an officially supported operation. TLS over port 389 is part of the LDAP v3 specifications, and is supported. Vendors doing start TLS are actually being LDAP v3 compliant. Vendors doing SSL over 636 are using an old non-standardized way of doing SSL.
As noted by Kurt, you can force connections to use encryption, using the "security" statement. I'm not quite sure why you aren't figuring this out via the slapd.conf man page, it is pretty clear:
security <factors> Specify a set of security strength factors (separated by white space) to require (see sasl-secprops's minssf option for a description of security strength factors). The directive may be specified globally and/or per- database. ssf=<n> specifies the overall security strength factor. transport=<n> specifies the transport security strength factor. tls=<n> specifies the TLS security strength factor. sasl=<n> specifies the SASL security strength factor. update_ssf=<n> specifies the overall security strength factor to require for directory updates. update_transport=<n> specifies the transport security strength factor to require for directory updates. update_tls=<n> specifies the TLS security strength factor to require for directory updates. update_sasl=<n> specifies the SASL security strength factor to require for directory updates. simple_bind=<n> specifies the security strength factor required for simple username/password authentication. Note that the transport factor is measure of security provided by the underlying transport, e.g. ldapi:// (and eventually IPSEC). It is not normally used.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html