Is it possible to configure the server to reject requests on non-secure connections with the exception of the StartTLS extended request? In other words, when an LDAP client connects on the clear-text port, can the server be configured to reject all requests on that exception except for the StartTLS extended request in order to prevent clients from transmitting data in the clear?
Terry Gardner wrote:
can the server be configured to reject all requests on that exception except for the StartTLS extended request in order to prevent clients from transmitting data in the clear?
Watch out for configuration directives 'security' and 'sasl-secprops'. You might want to set TLSCipherSuite to avoid that a client uses a weak cipher or crypto protocol.
But strictly speaking nothing prevents a misconfigured client to send clear-text credentials over the wire. Rejecting processing them only gives a strong hint that this is not the desired behaviour...
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Terry Gardner