[Fedora-directory-users] TLS authentication
Richard Megginson
rmeggins at redhat.com
Tue Aug 8 20:40:05 UTC 2006
Pete Rowley wrote:
> Adams Samuel D Contr AFRL/HEDR wrote:
>
>> Anyway, should I worry about clients using the LDAP to authenticate
>> without TLS?
>>
> That really depends on your deployment - how sensitive would you be to
> someone having their credentials sniffed off the wire? How likely is
> it that someone will attempt a non-encrypted bind? YMMV.
>
>> Do I need to set my directory server such that users can
>> only authenticate only if they have TLS enabled?
>>
> By the time the bind code is evaluating whether a secure transport was
> used the credentials have already passed over the wire. If you are
> sensitive to this, then I would suggest you disable the non-secure
> port by setting its port # to zero, then the only way to attempt a
> bind is over the secure port using SSL.
Since LDAP suggests to use startTLS to start up TLS sessions on the
non-secure port, there should be a way to disallow operations before the
startTLS happens. Fedora DS does not support this.
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060808/ab98b07a/attachment.bin>
More information about the 389-users
mailing list