Graham Seaman wrote: > Rich Megginson wrote: >> Graham Seaman wrote: >>> Is it possible to close down non-SSL access? (I am not using the >>> admin server, so this needs to be through manual configuration) >> No. There is no way to say "connections on port 389 must use >> startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all >> ldap traffic and rely solely on ldaps (636), but that will not work >> with clients that expect startTLS. > > I seem to be misunderstanding the general security model around ldap > directory connections. I read in the wikipedia article on ldap that > use of both ldaps and port 663 are deprecated. That is correct - however, there are many, many clients that still support ldaps, many of which also do not support startTLS. > Are there any pages on the Fedora DS wiki or elsewhere that describe > good practice for safe connections? It really depends on the client. If the client supports startTLS, I encourage you to use it. > > Graham > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
