Le 25/02/16 16:33, s_humbi a écrit : > Hello,does anybody know, if there is a way to force the ldap-client to use > StartTLS ? I dont wont to offer our ldap-clients an unsecure way to talk with > our LDAP-Server. > Yes I can disable the default-Port 389 and only enable the SSL-Port 636.But > there is written in the DS documentation: " **LDAPS** is considered as > deprecated. You should always favor startTLS instead. " > And I also need the port 389 (with StartTLS) for replication, so i can not > disable it. > At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But the > users can still connect without TLS. > I found this interesting paper: > http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf--> see > Caption caption: "The correct and standard approach is to start LDAP without > encryption and then negotiate the TLS security layer. If necessary, the > server can be configured to refuse all operations other than 'Start TLS' > until TLS is in place" > > Is this possible with Apache DS ? > Many Thanks for helping ...Humbi > > > > No, sorry, we can't enforce that atm. At least, here is no way to do that through configuration.
And yes, this is missing. In OpenLDAP, you can enforce TLS through some parameter, and I think that would be a good addition to ApacheDS. Would you fancy creating a JIRA with such a demand ? Thanks !
