Rich Megginson wrote: > Graham Seaman wrote: >> Is it possible to close down non-SSL access? (I am not using the >> admin server, so this needs to be through manual configuration) > No. There is no way to say "connections on port 389 must use > startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all > ldap traffic and rely solely on ldaps (636), but that will not work > with clients that expect startTLS. I seem to be misunderstanding the general security model around ldap directory connections. I read in the wikipedia article on ldap that use of both ldaps and port 663 are deprecated. Are there any pages on the Fedora DS wiki or elsewhere that describe good practice for safe connections? Graham
