I also would be interested in the feature. It, would also be interesting to deprecate TLS 1.0, TLS 1.1 and SSL any flavor.
> On Feb 25, 2016, at 8:56 AM, Emmanuel Lécharny <[email protected]> wrote: > > Le 25/02/16 16:33, s_humbi a écrit : >> Hello,does anybody know, if there is a way to force the ldap-client to use >> StartTLS ? I dont wont to offer our ldap-clients an unsecure way to talk >> with our LDAP-Server. >> Yes I can disable the default-Port 389 and only enable the SSL-Port 636.But >> there is written in the DS documentation: " **LDAPS** is considered as >> deprecated. You should always favor startTLS instead. " >> And I also need the port 389 (with StartTLS) for replication, so i can not >> disable it. >> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But the >> users can still connect without TLS. >> I found this interesting paper: >> http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf--> >> see Caption caption: "The correct and standard approach is to start LDAP >> without encryption and then negotiate the TLS security layer. If necessary, >> the server can be configured to refuse all operations other than 'Start TLS' >> until TLS is in place" >> >> Is this possible with Apache DS ? >> Many Thanks for helping ...Humbi >> >> >> >> > No, sorry, we can't enforce that atm. At least, here is no way to do > that through configuration. > > And yes, this is missing. In OpenLDAP, you can enforce TLS through some > parameter, and I think that would be a good addition to ApacheDS. > Would you fancy creating a JIRA with such a demand ? > > Thanks !
