Pete Rowley wrote:
Since LDAP suggests to use startTLS to start up TLS sessions on the non-secure port, there should be a way to disallow operations before the startTLS happens. Fedora DS does not support this.Adams Samuel D Contr AFRL/HEDR wrote:That really depends on your deployment - how sensitive would you be to someone having their credentials sniffed off the wire? How likely is it that someone will attempt a non-encrypted bind? YMMV.Anyway, should I worry about clients using the LDAP to authenticate without TLS?By the time the bind code is evaluating whether a secure transport was used the credentials have already passed over the wire. If you are sensitive to this, then I would suggest you disable the non-secure port by setting its port # to zero, then the only way to attempt a bind is over the secure port using SSL.Do I need to set my directory server such that users canonly authenticate only if they have TLS enabled?
------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
