Your fixes look good to me. --noriko Nathan Kinder wrote:
Nathan Kinder wrote:After some discussion with Rich, we determined that a change to the patch was necessary with regards to the way unauthenticated binds are treated. The attached patch treats unauthenticated binds the same as anonymous binds (assuming that they are allowed in the config). This means that the new setting to require secure binds will not affect unauthenticated binds or anonymous binds.Nathan Kinder wrote:Andrey Ivanov wrote:Does it mean that when "nsslapd-require-secure-binds" is "on" then even the anonymous binds should be made by SSL? Maybe there is some sense in leaving a possibility to have anonymous binds non-SSL and frocing non-anonymous ones to be secure?Sorry for the late response, but I was on vacation the last week.The current patch does force all simple binds, including anonymous, to use a secure connection. I can see value in allowing anonymous simple binds over an unencrypted connection, as the main reason for this new setting is to prevent clear text transmission of passwords. I will revise the patch to ignore anonymous binds when nsslapd-require-secure-binds is on unless anyone else has arguments otherwise.A new patch with the above change is attached.The patch also fixed a typo in one of the new log messages.There are a number of other security related configuration settings that I plan to add soon, which will provide other ways of dealing with restricting anonymous operations. One of these features are a switch to disable any anonymous operations completely. Another is to have a minimum SSF setting on the server. The only operation we would allow after first connecting over plain LDAP would be startTLS. If the SSF then meets the minimum requirement, other operations would be allowed.2009/5/15 Rich Megginson <rmeggins@xxxxxxxxxx <mailto:rmeggins@xxxxxxxxxx>>Nathan Kinder wrote:-------------------------------------------------------------------------- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx <mailto:Fedora-directory-devel@xxxxxxxxxx> https://www.redhat.com/mailman/listinfo/fedora-directory-devel Looks good. -- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx <mailto:Fedora-directory-devel@xxxxxxxxxx> https://www.redhat.com/mailman/listinfo/fedora-directory-devel-------------------------------------------------------------------------- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel-- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel------------------------------------------------------------------------ -- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel------------------------------------------------------------------------ -- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel
