Hi Glenn,
In term of security, IMHO there is no much difference:
(on LDAPS the handshake is started when the connection is open
while with startTLS it is started when receiving the 1.3.6.1.4.1.1466.20037 ldap extended operation)
And once handshake is completed both connections are handled the same way until they are closed.
The main risk is that for some reason (bad configuration or user error)
the EXT 1.3.6.1.4.1.1466.20037 operation is not sent and the bind is attempted in clear.
(Note: nsslapd-require-secure-binds prevents such bind to success but the password has still been sent in clear ... )
That said for replication there is not much risks once the agreements are properly configured.
In term of security, IMHO there is no much difference:
(on LDAPS the handshake is started when the connection is open
while with startTLS it is started when receiving the 1.3.6.1.4.1.1466.20037 ldap extended operation)
And once handshake is completed both connections are handled the same way until they are closed.
The main risk is that for some reason (bad configuration or user error)
the EXT 1.3.6.1.4.1.1466.20037 operation is not sent and the bind is attempted in clear.
(Note: nsslapd-require-secure-binds prevents such bind to success but the password has still been sent in clear ... )
That said for replication there is not much risks once the agreements are properly configured.
Regards
Pierre
Pierre
On Mon, Jan 4, 2021 at 7:36 PM Glenn Morris <rgm@xxxxxxxxxxxx> wrote:
Hi,
Pierre Rogier wrote:
> The connection logs probably means that a non encrypted operation was
> attempted over SSL port.
Thanks for this. Indeed, if I replace "--port=636 --conn-protocol=LDAPS"
(from "Steps to be Performed on the Supplier" in the Red Hat docs)
with "--port=389 --conn-protocol=StartTLS" when running "repl-agmt create",
then the status command reports "Replication Status: In Synchronization"
(after the first change is synced). It leaves me wondering a bit how
secure it is though...
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 Directory Server Development Team
389 Directory Server Development Team
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx