Adams Samuel D Contr AFRL/HEDR wrote: >Anyway, should I worry about clients using the LDAP to authenticate >without TLS? > That really depends on your deployment - how sensitive would you be to someone having their credentials sniffed off the wire? How likely is it that someone will attempt a non-encrypted bind? YMMV. > Do I need to set my directory server such that users can >only authenticate only if they have TLS enabled? > > By the time the bind code is evaluating whether a secure transport was used the credentials have already passed over the wire. If you are sensitive to this, then I would suggest you disable the non-secure port by setting its port # to zero, then the only way to attempt a bind is over the secure port using SSL. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060808/1f727656/attachment.bin
