Pete Rowley wrote: > Adams Samuel D Contr AFRL/HEDR wrote: > >> Anyway, should I worry about clients using the LDAP to authenticate >> without TLS? >> > That really depends on your deployment - how sensitive would you be to > someone having their credentials sniffed off the wire? How likely is > it that someone will attempt a non-encrypted bind? YMMV. > >> Do I need to set my directory server such that users can >> only authenticate only if they have TLS enabled? >> > By the time the bind code is evaluating whether a secure transport was > used the credentials have already passed over the wire. If you are > sensitive to this, then I would suggest you disable the non-secure > port by setting its port # to zero, then the only way to attempt a > bind is over the secure port using SSL. Since LDAP suggests to use startTLS to start up TLS sessions on the non-secure port, there should be a way to disallow operations before the startTLS happens. Fedora DS does not support this. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060808/ab98b07a/attachment.bin
