Graham Seaman wrote:
Rich Megginson wrote:
Graham Seaman wrote:
Is it possible to close down non-SSL access? (I am not using the
admin server, so this needs to be through manual configuration)
No. There is no way to say "connections on port 389 must use
startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all
ldap traffic and rely solely on ldaps (636), but that will not work
with clients that expect startTLS.
I seem to be misunderstanding the general security model around ldap
directory connections. I read in the wikipedia article on ldap that
use of both ldaps and port 663 are deprecated.
That is correct - however, there are many, many clients that still
support ldaps, many of which also do not support startTLS.
Are there any pages on the Fedora DS wiki or elsewhere that describe
good practice for safe connections?
It really depends on the client. If the client supports startTLS, I
encourage you to use it.
Graham
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
