On Wednesday, 4 July 2007, Andreas Hasenack wrote:
On Wed, Jul 04, 2007 at 05:53:24PM +0200, Hallvard B Furuseth wrote:
The problem is that the rejection happens too late: the client password was already sent to the server in clear test.
If you want to ensure it on the server side, all you can do is not listen for ldap:// connections since they start out unencrypted. ldap:// connections have no initial protocol exchange which the server can reject. Instead listen to ldaps://, "LDAP over SSL (aka TLS)".
I guess what I need is a setting in /etc/openldap/ldap.conf similar to the sasl minssf property, but for non-sasl binds. Is there such a thing? Something that would behave as if -ZZ was always added to the openldap command-line tools.
Yes.
URI ldaps://fully.qualified.server-hostname/ TLS_CACERT <file with the CA-certificate which signed the server cert> TLS_REQCERT demand
The only problem is that I really want start_tls, and not ldaps (which is deprecated, right?).
IMHO, a non-working solution (e.g. where encryption can't be forced from the client side) cannot be the only alternative for a feature supposedly deprecated (ldaps, where it is possible).
At a minimum, there should be some way to force start_tls for OpenLDAP client utilities before claiming a feature is deprecated.
(Yes, this has been irritating me for a long time too ...).
Regards, Buchan