On Mon, 2009-12-14 at 15:01 +0100, Kenneth Holter wrote: > Hi all. > > > We'd like to make sure that the LDAP data on our network is encrypted, > at least the data that contains sensitive information. We've set up > TLS between on these communication links: > * LDAP client <-> LDAP server (using StartTLS) > * LDAP master <-> LDAP slave > * Web browser <-> Admin server web console (i.e. https) > We have a pretty default installation of the directory server (which > btw is Red Hat Directory Server v8.1.0). To my best knowledge, these > links above should cover all relevant trafikk on the network, since > the directory server, admins server and the console are all located on > the same physical server. Does anyone agree or disagree? > > Btw, if anyone knows of any nice diagrams that shows the different > data links (i.e information flow) between the directory server > components (such as admins server, console, main console, directory > server, and so forth) please do post a link to this. <snip> That's what we've done although we also use LDAPS in some cases. We have not yet played with disabling unencrypted traffic. If someone does not request StartTLS or LDAPS, we do respond with unencrypted traffic. We've also ensured that backups of the database are both sent and stored encrypted - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
