Hi,
I'm trying to set up Fedora DS to be accessible only with SSL. My DS is on a standalone remote server, with most ports firewalled. If I open ports 389 and 636, I can run ldapsearch ok using SSL (the access log shows 'SSL connection.. using 256-bit AES') but I can also choose not to use SSL and still make queries. If I close port 389, I can't connect to the server with or without SSL - I just get 'ldap_start_tls: Can't contact LDAP server (-1)'. This is even if I explicitly specify port 636, not just relying on the '-Z' flag for ldapsearch.
Is it possible to close down non-SSL access? (I am not using the admin server, so this needs to be through manual configuration)
Thanks for any advice
Graham
Graham Seaman wrote:
Hi,
I'm trying to set up Fedora DS to be accessible only with SSL. My DS is on a standalone remote server, with most ports firewalled. If I open ports 389 and 636, I can run ldapsearch ok using SSL (the access log shows 'SSL connection.. using 256-bit AES') but I can also choose not to use SSL and still make queries. If I close port 389, I can't connect to the server with or without SSL - I just get 'ldap_start_tls: Can't contact LDAP server (-1)'. This is even if I explicitly specify port 636, not just relying on the '-Z' flag for ldapsearch.
Is it possible to close down non-SSL access? (I am not using the admin server, so this needs to be through manual configuration)
No. There is no way to say "connections on port 389 must use startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all ldap traffic and rely solely on ldaps (636), but that will not work with clients that expect startTLS.
Thanks for any advice
Graham
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Rich Megginson wrote:
Graham Seaman wrote:
Is it possible to close down non-SSL access? (I am not using the admin server, so this needs to be through manual configuration)
No. There is no way to say "connections on port 389 must use startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all ldap traffic and rely solely on ldaps (636), but that will not work with clients that expect startTLS.
I seem to be misunderstanding the general security model around ldap directory connections. I read in the wikipedia article on ldap that use of both ldaps and port 663 are deprecated. Are there any pages on the Fedora DS wiki or elsewhere that describe good practice for safe connections?
Graham
Graham Seaman wrote:
Rich Megginson wrote:
Graham Seaman wrote:
Is it possible to close down non-SSL access? (I am not using the admin server, so this needs to be through manual configuration)
No. There is no way to say "connections on port 389 must use startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all ldap traffic and rely solely on ldaps (636), but that will not work with clients that expect startTLS.
I seem to be misunderstanding the general security model around ldap directory connections. I read in the wikipedia article on ldap that use of both ldaps and port 663 are deprecated.
That is correct - however, there are many, many clients that still support ldaps, many of which also do not support startTLS.
Are there any pages on the Fedora DS wiki or elsewhere that describe good practice for safe connections?
It really depends on the client. If the client supports startTLS, I encourage you to use it.
Graham
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org