----- Original Message -----
From: "Chuck Lever" chuck.lever@oracle.com To: "Wiebe Cazemier" wiebe@halfgaar.net Cc: openldap-technical@openldap.org Sent: Friday, 21 December, 2012 4:39:21 PM Subject: Re: Forcing TLS encryption
...
I added an olcSecurity attribute to the database directives for the parts of the server's DIT where I wish to require TLS. To start with I set the value "tls=1".
See also:
http://itsecureadmin.com/tag/openldap/
-- Chuck Lever chuck[dot]lever[at]oracle[dot]com
I got it to work (connection won't be allowed without TLS), but I can still capture the password with tcpdump. To elaborate:
I successfully set tls=1 with:
dn: cn=config changetype: modify add: olcSecurity olcSecurity: tls=1
When I do an ldapsearch now, it says TLS is required:
$ ldapsearch ldapsearch -Hldap://myhost:389 -D"uid=user,ou=people,dc=domain,dc=com" -W Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
However, when I capture the traffic with tcpdump, I can still see the password being sent. With FTP require TLS, the server rejects the connection after the login command, so you don't get the chance to send your password. Is there a way to do that here too?