On Thu, Feb 25, 2016 at 10:26 PM, Emmanuel Lécharny <[email protected]> wrote:
> Le 25/02/16 16:33, s_humbi a écrit : > > Hello,does anybody know, if there is a way to force the ldap-client to > use StartTLS ? I dont wont to offer our ldap-clients an unsecure way to > talk with our LDAP-Server. > > Yes I can disable the default-Port 389 and only enable the SSL-Port > 636.But there is written in the DS documentation: " **LDAPS** is considered > as deprecated. You should always favor startTLS instead. " > > And I also need the port 389 (with StartTLS) for replication, so i can > not disable it. > > At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But > the users can still connect without TLS. > > I found this interesting paper: > > http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf--> > see Caption caption: "The correct and standard approach is to start LDAP > without encryption and then negotiate the TLS security layer. If necessary, > the server can be configured to refuse all operations other than 'Start > TLS' until TLS is in place" > > > > Is this possible with Apache DS ? > > Many Thanks for helping ...Humbi > > > > > > > > > No, sorry, we can't enforce that atm. At least, here is no way to do > that through configuration. > > Actually we can, through configuration (I understand, it is very rarely used, so hard to remember ;) Setting the value of attribute ads-confidentialityRequired to TRUE and restart the server, This will force the user to use a secure connection using StartTLS. This attribute is present in the entry - ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config And yes, this is missing. In OpenLDAP, you can enforce TLS through some > parameter, and I think that would be a good addition to ApacheDS. > Would you fancy creating a JIRA with such a demand ? > > Thanks ! > Kiran Ayyagari http://keydap.com
