Nathan Kinder wrote:
Nathan Kinder wrote:
> Nathan Kinder wrote:
>> Andrey Ivanov wrote:
>>>
>>> Does it mean that when "nsslapd-require-secure-binds" is
"on" then
>>> even the anonymous binds should be made by SSL? Maybe there is some
>>> sense in leaving a possibility to have anonymous binds non-SSL and
>>> frocing non-anonymous ones to be secure?
>> Sorry for the late response, but I was on vacation the last week.
>>
>> The current patch does force all simple binds, including anonymous,
>> to use a secure connection. I can see value in allowing anonymous
>> simple binds over an unencrypted connection, as the main reason for
>> this new setting is to prevent clear text transmission of
>> passwords. I will revise the patch to ignore anonymous binds when
>> nsslapd-require-secure-binds is on unless anyone else has arguments
>> otherwise.
> A new patch with the above change is attached.
After some discussion with Rich, we determined that a change to the
patch was necessary with regards to the way unauthenticated binds are
treated. The attached patch treats unauthenticated binds the same as
anonymous binds (assuming that they are allowed in the config). This
means that the new setting to require secure binds will not affect
unauthenticated binds or anonymous binds.
The patch also fixed a typo in one of the new log messages.
Ok.
>>
>> There are a number of other security related configuration settings
>> that I plan to add soon, which will provide other ways of dealing
>> with restricting anonymous operations. One of these features are a
>> switch to disable any anonymous operations completely. Another is
>> to have a minimum SSF setting on the server. The only operation we
>> would allow after first connecting over plain LDAP would be
>> startTLS. If the SSF then meets the minimum requirement, other
>> operations would be allowed.
>>>
>>> 2009/5/15 Rich Megginson <rmeggins(a)redhat.com
>>> <mailto:rmeggins@redhat.com>>
>>>
>>> Nathan Kinder wrote:
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> --
>>> Fedora-directory-devel mailing list
>>> Fedora-directory-devel(a)redhat.com
>>> <mailto:Fedora-directory-devel@redhat.com>
>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>>>
>>> Looks good.
>>>
>>> --
>>> Fedora-directory-devel mailing list
>>> Fedora-directory-devel(a)redhat.com
>>> <mailto:Fedora-directory-devel@redhat.com>
>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> --
>>> Fedora-directory-devel mailing list
>>> Fedora-directory-devel(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>>>
>>
>> --
>> Fedora-directory-devel mailing list
>> Fedora-directory-devel(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-devel mailing list
> Fedora-directory-devel(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
------------------------------------------------------------------------
--
Fedora-directory-devel mailing list
Fedora-directory-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-devel