On Fri, Aug 22, 2008 at 12:50 PM, Philip Guenther guenther+ldapsoft@sendmail.com wrote:
Note the *lack* of those EXT/STARTTLS/TLS messages. The client that made that connection didn't use the StartTls operation, so it wasn't using an encrypted connection so...
yes. when i launch the "ldap* -ZZ" from cmd line, it starts TLS as expected.
"all" that's done to generate the above errors is:
service ldap restart
which, iiuc, simply launches slapd. so, per your comment, *specifically* which 'client' is failing to use the StartTLS?
security tls=256
I.e., refuse to do _anything_ unless TLS is negotiated with an SSF of at least 256 (i.e., 256 bit encryption cipher). Is that *really* the requirement you mean to enforce?
the goal is to always/only use TLS with an AES-256 encryption cipher. the hope is that that 'security' directive accomplishges that.
disallow tls_2_anon
Hmm, why do you set that option? Do you know why the default isn't to do that?
the goal is to not allow any anonymous connetion/bind/etc.
to the extent that 'man slapd.conf' shares
tls_2_anon disables Start TLS from forcing session to anonymous status (see also tls_authc). tls_authc disables StartTLS if authenticated (see also tls_2_anon).
that seems to be the right choice. afaict, there's no additional documentation on the matter.
and, that description smacks of "read other side" being written on both sides of a postcard ...
Yes, they're responsible: you told the server "require TLS!" so it's refusing the clients that don't use TLS. I'm surprised it's a question.
YA tired old sarcastic comment. and you were doing so well ...
reading some of your other posts ... knowing so much more than everyone else, you really must get exhausted from being so surprised that people have questions of any kind -- given how everything's so obvious!