Graham Seaman wrote: > Hi, > > I'm trying to set up Fedora DS to be accessible only with SSL. My DS > is on a standalone remote server, with most ports firewalled. If I > open ports 389 and 636, I can run ldapsearch ok using SSL (the access > log shows 'SSL connection.. using 256-bit AES') but I can also choose > not to use SSL and still make queries. If I close port 389, I can't > connect to the server with or without SSL - I just get > 'ldap_start_tls: Can't contact LDAP server (-1)'. This is even if I > explicitly specify port 636, not just relying on the '-Z' flag for > ldapsearch. > > Is it possible to close down non-SSL access? (I am not using the admin > server, so this needs to be through manual configuration) No. There is no way to say "connections on port 389 must use startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all ldap traffic and rely solely on ldaps (636), but that will not work with clients that expect startTLS. > > Thanks for any advice > > Graham > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
