I have got SSL set up and working, but I have not figured out how I can require that users only connect through a secure connection (SSL or TLS) and deny access to cleartext communication. I was able to do this with OpenLDAP, but it was done in the slapd.conf file. I have not found any documentation on how to set it up or if it is even possible with FDS. Is there any doc or does anyone have any information on how to do this? Thanks Eric
It depends on your distribution but pretty much all the same as I found it you have to edit ldap.conf but you may have to do a little bit of fiddling before you can get it working. Anyways I''ve got this also documented on my web site http://www.csse.uwa.edu.au/~ashley/ Look at LDAP Fedora Directory Server HOWTO with SSL & NOSSL for Unix/ Linux / MacOSX / Windows Client Binding document. Look at section 3.3 Binding Linux/Unix Machines to LDAPs. I''ve did this last year and should still be applicable. Regards Ashley On Thu, 3 May 2007, Eric Brown wrote:> I have got SSL set up and working, but I have not figured out how I > can require that users only connect through a secure connection (SSL > or TLS) and deny access to cleartext communication. > > I was able to do this with OpenLDAP, but it was done in the slapd.conf > file. I have not found any documentation on how to set it up or if it > is even possible with FDS. > > Is there any doc or does anyone have any information on how to do this? > > Thanks > Eric > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:272,4639f614145012118015795! >-- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!"
Richard Megginson
2007-May-04 14:50 UTC
Re: [Fedora-directory-users] Requiring TLS/SSL communication
ashley wrote:> > It depends on your distribution but pretty much all the same as I > found it you have to edit ldap.conf but you may have to do a little > bit of fiddling before you can get it working. > > Anyways I''ve got this also documented on my web site > > http://www.csse.uwa.edu.au/~ashley/ > > Look at LDAP Fedora Directory Server HOWTO with SSL & NOSSL for Unix/ > Linux / MacOSX / Windows Client Binding document. > > Look at section 3.3 Binding Linux/Unix Machines to LDAPs. > > I''ve did this last year and should still be applicable.Thanks Ashley. Another trick you can use on the server side is to just shut off the non-secure port by using a value of 0 for cn=config nsslapd-port. Then the server will only listen for LDAPS requests.> > Regards Ashley > > > On Thu, 3 May 2007, Eric Brown wrote: > >> I have got SSL set up and working, but I have not figured out how I >> can require that users only connect through a secure connection (SSL >> or TLS) and deny access to cleartext communication. >> >> I was able to do this with OpenLDAP, but it was done in the slapd.conf >> file. I have not found any documentation on how to set it up or if it >> is even possible with FDS. >> >> Is there any doc or does anyone have any information on how to do this? >> >> Thanks >> Eric >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> !DSPAM:272,4639f614145012118015795! >> >
Yes I thought about that, but I''m supporting some legacy Linux/Unix system which I provide LDAP/NIS auth from the Directory Server. I don''t really want to break things, I''m just phasing things out gradually. Cheers then, Ashley On Fri, 4 May 2007, Richard Megginson wrote:> ashley wrote: >> >> It depends on your distribution but pretty much all the same as I found it >> you have to edit ldap.conf but you may have to do a little bit of fiddling >> before you can get it working. >> >> Anyways I''ve got this also documented on my web site >> >> http://www.csse.uwa.edu.au/~ashley/ >> >> Look at LDAP Fedora Directory Server HOWTO with SSL & NOSSL for Unix/ Linux >> / MacOSX / Windows Client Binding document. >> >> Look at section 3.3 Binding Linux/Unix Machines to LDAPs. >> >> I''ve did this last year and should still be applicable. > Thanks Ashley. > > Another trick you can use on the server side is to just shut off the > non-secure port by using a value of 0 for cn=config nsslapd-port. Then the > server will only listen for LDAPS requests. >> >> Regards Ashley >> >> >> On Thu, 3 May 2007, Eric Brown wrote: >> >>> I have got SSL set up and working, but I have not figured out how I >>> can require that users only connect through a secure connection (SSL >>> or TLS) and deny access to cleartext communication. >>> >>> I was able to do this with OpenLDAP, but it was done in the slapd.conf >>> file. I have not found any documentation on how to set it up or if it >>> is even possible with FDS. >>> >>> Is there any doc or does anyone have any information on how to do this? >>> >>> Thanks >>> Eric >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> !DSPAM:272,4639f614145012118015795! >>> >> > > > !DSPAM:272,463b48cc91651926681497! >-- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!"
Eddie C
2007-May-07 14:30 UTC
Re: [Fedora-directory-users] Requiring TLS/SSL communication
You could use IPTABLES As well and not have to play with the configuration of FDS but I am sure you already figured this out. Edward On 5/7/07, ashley <ashley@csse.uwa.edu.au> wrote:> > > Yes I thought about that, but I''m supporting some legacy Linux/Unix > system which I provide LDAP/NIS auth from the Directory Server. > > I don''t really want to break things, I''m just phasing things out > gradually. > > Cheers then, Ashley > > > On Fri, 4 May 2007, Richard Megginson wrote: > > > ashley wrote: > >> > >> It depends on your distribution but pretty much all the same as I found > it > >> you have to edit ldap.conf but you may have to do a little bit of > fiddling > >> before you can get it working. > >> > >> Anyways I''ve got this also documented on my web site > >> > >> http://www.csse.uwa.edu.au/~ashley/ > >> > >> Look at LDAP Fedora Directory Server HOWTO with SSL & NOSSL for Unix/ > Linux > >> / MacOSX / Windows Client Binding document. > >> > >> Look at section 3.3 Binding Linux/Unix Machines to LDAPs. > >> > >> I''ve did this last year and should still be applicable. > > Thanks Ashley. > > > > Another trick you can use on the server side is to just shut off the > > non-secure port by using a value of 0 for cn=config nsslapd-port. Then > the > > server will only listen for LDAPS requests. > >> > >> Regards Ashley > >> > >> > >> On Thu, 3 May 2007, Eric Brown wrote: > >> > >>> I have got SSL set up and working, but I have not figured out how I > >>> can require that users only connect through a secure connection (SSL > >>> or TLS) and deny access to cleartext communication. > >>> > >>> I was able to do this with OpenLDAP, but it was done in the slapd.conf > >>> file. I have not found any documentation on how to set it up or if it > >>> is even possible with FDS. > >>> > >>> Is there any doc or does anyone have any information on how to do > this? > >>> > >>> Thanks > >>> Eric > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users@redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > >>> !DSPAM:272,4639f614145012118015795! > >>> > >> > > > > > > !DSPAM:272,463b48cc91651926681497! > > > > -- > Ashley Chew - Systems Administrator > School of Computer Science and Software Engineering > University of Western Australia > Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 > Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley > > "There is no such thing as Fate, Fate is what you make of it!" > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >