Susan wrote:
--- Richard Megginson <rmeggins@xxxxxxxxxx> wrote:the openldap ldapsearch -Z does startTLS, which tries to startup a secure connection using the non-secure port - basically, so you can have ldap listen only to 389 and have SSL/TLS on that port. So then you may ask "Ok, that's fine, but how do I disable non-secure connections on 389?" I'm not sure how you can do that at the connection level, but at the entry level you can set ACIs to allow access only if using SSL/TLS.Can you give me an example, please? ldapsearch aside, even though SSL is enabled on the server, everything (including the password) is being transmitted clear text -- I can see it in ethereal when I try to ssh to an ldap client.
If you are using ldapsearch -ZZ: -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be suc- cessful.And if it is successful, the connection should be encrypted from that point on, and you should not see any clear text. You can verify this by looking at the access log for the directory server - the connection and bind information should tell if the startTLS operation was successful.
__________________________________________ Yahoo! DSL – Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
