On Fri, Feb 26, 2016 at 3:23 AM, Stefan Seelmann <[email protected]> wrote:
> On 02/25/2016 05:56 PM, Emmanuel Lécharny wrote: > > Le 25/02/16 16:33, s_humbi a écrit : > >> Hello,does anybody know, if there is a way to force the ldap-client to > use StartTLS ? I dont wont to offer our ldap-clients an unsecure way to > talk with our LDAP-Server. > >> Yes I can disable the default-Port 389 and only enable the SSL-Port > 636.But there is written in the DS documentation: " **LDAPS** is considered > as deprecated. You should always favor startTLS instead. " > >> And I also need the port 389 (with StartTLS) for replication, so i can > not disable it. > >> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But > the users can still connect without TLS. > >> I found this interesting paper: > >> > http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf--> > see Caption caption: "The correct and standard approach is to start LDAP > without encryption and then negotiate the TLS security layer. If necessary, > the server can be configured to refuse all operations other than 'Start > TLS' until TLS is in place" > >> > > No, sorry, we can't enforce that atm. At least, here is no way to do > > that through configuration. > > > > And yes, this is missing. In OpenLDAP, you can enforce TLS through some > > parameter, and I think that would be a good addition to ApacheDS. > > Would you fancy creating a JIRA with such a demand ? > > But that cannot prevent the client from sending a request, e.g. a simple > bind with plain text password, right? Even if the server then refuses > just like with any network client, it is still possible, unless client does some negotiation with server prior to sending a bind request > the operation, the password was sent over the wire. Would it then be > appropriate to lock the account automatically? > > the server just rejects the request even before looking into it, IMO the server shouldn't do anything other than rejecting the request. > Kind Regards, > Stefan > > Kiran Ayyagari http://keydap.com
