Susan wrote: >--- Richard Megginson <rmeggins at redhat.com> wrote: > > > >>the openldap ldapsearch -Z does startTLS, which tries to startup a >>secure connection using the non-secure port - basically, so you can have >>ldap listen only to 389 and have SSL/TLS on that port. So then you may >>ask "Ok, that's fine, but how do I disable non-secure connections on >>389?" I'm not sure how you can do that at the connection level, but at >>the entry level you can set ACIs to allow access only if using SSL/TLS. >> >> > >Can you give me an example, please? ldapsearch aside, even though SSL is enabled on the server, >everything (including the password) is being transmitted clear text -- I can see it in ethereal >when I try to ssh to an ldap client. > > If you are using ldapsearch -ZZ: -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be suc- cessful. And if it is successful, the connection should be encrypted from that point on, and you should not see any clear text. You can verify this by looking at the access log for the directory server - the connection and bind information should tell if the startTLS operation was successful. > > >__________________________________________ >Yahoo! DSL ? Something to write home about. >Just $16.99/mo. or less. >dsl.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060105/4c0e9167/attachment.bin
