Le 25/02/16 22:53, Stefan Seelmann a écrit : > On 02/25/2016 05:56 PM, Emmanuel Lécharny wrote: >> Le 25/02/16 16:33, s_humbi a écrit : >>> Hello,does anybody know, if there is a way to force the ldap-client to use >>> StartTLS ? I dont wont to offer our ldap-clients an unsecure way to talk >>> with our LDAP-Server. >>> Yes I can disable the default-Port 389 and only enable the SSL-Port 636.But >>> there is written in the DS documentation: " **LDAPS** is considered as >>> deprecated. You should always favor startTLS instead. " >>> And I also need the port 389 (with StartTLS) for replication, so i can not >>> disable it. >>> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But the >>> users can still connect without TLS. >>> I found this interesting paper: >>> http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf--> >>> see Caption caption: "The correct and standard approach is to start LDAP >>> without encryption and then negotiate the TLS security layer. If necessary, >>> the server can be configured to refuse all operations other than 'Start >>> TLS' until TLS is in place" >>> >> No, sorry, we can't enforce that atm. At least, here is no way to do >> that through configuration. >> >> And yes, this is missing. In OpenLDAP, you can enforce TLS through some >> parameter, and I think that would be a good addition to ApacheDS. >> Would you fancy creating a JIRA with such a demand ? > But that cannot prevent the client from sending a request, e.g. a simple > bind with plain text password, right? It will. Check on http://www.openldap.org/doc/admin24/security.html, par.14.2.1. Setting the 'security' parameter to a value > 1 will reject any non-encrypted connection.
> Even if the server then refuses > the operation, the password was sent over the wire. Would it then be > appropriate to lock the account automatically? You won't be able to send a request in clear text, AFAIU.
