Fedora directory users - May 2007 - Requiring TLS/SSL communication

I have got SSL set up and working, but I have not figured out how I
can require that users only connect through a secure connection (SSL
or TLS) and deny access to cleartext communication.

I was able to do this with OpenLDAP, but it was done in the slapd.conf
file. I have not found any documentation on how to set it up or if it
is even possible with FDS.

Is there any doc or does anyone have any information on how to do this?

Thanks
Eric

It depends on your distribution but pretty much all the same as I found it 
you have to edit ldap.conf but you may have to do a little bit of fiddling 
before you can get it working.

Anyways I''ve got this also documented on my web site

http://www.csse.uwa.edu.au/~ashley/

Look at LDAP Fedora Directory Server HOWTO with SSL & NOSSL for Unix/ 
Linux / MacOSX / Windows Client Binding document.

Look at section 3.3 Binding Linux/Unix Machines to LDAPs.

I''ve did this last year and should still be applicable.

 					Regards Ashley


On Thu, 3 May 2007, Eric Brown wrote:
> I have got SSL set up and working, but I have not figured out how I
> can require that users only connect through a secure connection (SSL
> or TLS) and deny access to cleartext communication.
>
> I was able to do this with OpenLDAP, but it was done in the slapd.conf
> file. I have not found any documentation on how to set it up or if it
> is even possible with FDS.
>
> Is there any doc or does anyone have any information on how to do this?
>
> Thanks
> Eric
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> !DSPAM:272,4639f614145012118015795!
>
-- 
Ashley Chew - Systems Administrator
School of Computer Science and Software Engineering
University of Western Australia
Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089
Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley

"There is no such thing as Fate, Fate is what you make of it!"

ashley wrote:
>
> It depends on your distribution but pretty much all the same as I 
> found it you have to edit ldap.conf but you may have to do a little 
> bit of fiddling before you can get it working.
>
> Anyways I''ve got this also documented on my web site
>
> http://www.csse.uwa.edu.au/~ashley/
>
> Look at LDAP Fedora Directory Server HOWTO with SSL & NOSSL for Unix/ 
> Linux / MacOSX / Windows Client Binding document.
>
> Look at section 3.3 Binding Linux/Unix Machines to LDAPs.
>
> I''ve did this last year and should still be applicable.
Thanks Ashley.

Another trick you can use on the server side is to just shut off the 
non-secure port by using a value of 0 for cn=config nsslapd-port.  Then 
the server will only listen for LDAPS requests.
>
>                     Regards Ashley
>
>
> On Thu, 3 May 2007, Eric Brown wrote:
>
>> I have got SSL set up and working, but I have not figured out how I
>> can require that users only connect through a secure connection (SSL
>> or TLS) and deny access to cleartext communication.
>>
>> I was able to do this with OpenLDAP, but it was done in the slapd.conf
>> file. I have not found any documentation on how to set it up or if it
>> is even possible with FDS.
>>
>> Is there any doc or does anyone have any information on how to do this?
>>
>> Thanks
>> Eric
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>> !DSPAM:272,4639f614145012118015795!
>>
>

Yes I thought about that, but I''m supporting some legacy Linux/Unix 
system which I provide LDAP/NIS auth from the Directory Server.

I don''t really want to break things, I''m just phasing things
out
gradually.

 					Cheers then, Ashley


On Fri, 4 May 2007, Richard Megginson wrote:
> ashley wrote:
>> 
>> It depends on your distribution but pretty much all the same as I found
it
>> you have to edit ldap.conf but you may have to do a little bit of
fiddling
>> before you can get it working.
>> 
>> Anyways I''ve got this also documented on my web site
>> 
>> http://www.csse.uwa.edu.au/~ashley/
>> 
>> Look at LDAP Fedora Directory Server HOWTO with SSL & NOSSL for
Unix/ Linux
>> / MacOSX / Windows Client Binding document.
>> 
>> Look at section 3.3 Binding Linux/Unix Machines to LDAPs.
>> 
>> I''ve did this last year and should still be applicable.
> Thanks Ashley.
>
> Another trick you can use on the server side is to just shut off the 
> non-secure port by using a value of 0 for cn=config nsslapd-port.  Then the
> server will only listen for LDAPS requests.
>>
>>                     Regards Ashley
>> 
>> 
>> On Thu, 3 May 2007, Eric Brown wrote:
>> 
>>> I have got SSL set up and working, but I have not figured out how I
>>> can require that users only connect through a secure connection
(SSL
>>> or TLS) and deny access to cleartext communication.
>>> 
>>> I was able to do this with OpenLDAP, but it was done in the
slapd.conf
>>> file. I have not found any documentation on how to set it up or if
it
>>> is even possible with FDS.
>>> 
>>> Is there any doc or does anyone have any information on how to do
this?
>>> 
>>> Thanks
>>> Eric
>>> 
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> 
>>> 
>>> !DSPAM:272,4639f614145012118015795!
>>> 
>> 
>
>
> !DSPAM:272,463b48cc91651926681497!
>
-- 
Ashley Chew - Systems Administrator
School of Computer Science and Software Engineering
University of Western Australia
Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089
Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley

"There is no such thing as Fate, Fate is what you make of it!"

You could use IPTABLES As well and not have to play with the configuration
of FDS but I am sure you already figured this out.

Edward

On 5/7/07, ashley <ashley@csse.uwa.edu.au> wrote:
>
>
> Yes I thought about that, but I''m supporting some legacy
Linux/Unix
> system which I provide LDAP/NIS auth from the Directory Server.
>
> I don''t really want to break things, I''m just phasing
things out
> gradually.
>
>                                         Cheers then, Ashley
>
>
> On Fri, 4 May 2007, Richard Megginson wrote:
>
> > ashley wrote:
> >>
> >> It depends on your distribution but pretty much all the same as I
found
> it
> >> you have to edit ldap.conf but you may have to do a little bit of
> fiddling
> >> before you can get it working.
> >>
> >> Anyways I''ve got this also documented on my web site
> >>
> >> http://www.csse.uwa.edu.au/~ashley/
> >>
> >> Look at LDAP Fedora Directory Server HOWTO with SSL & NOSSL
for Unix/
> Linux
> >> / MacOSX / Windows Client Binding document.
> >>
> >> Look at section 3.3 Binding Linux/Unix Machines to LDAPs.
> >>
> >> I''ve did this last year and should still be applicable.
> > Thanks Ashley.
> >
> > Another trick you can use on the server side is to just shut off the
> > non-secure port by using a value of 0 for cn=config nsslapd-port. 
Then
> the
> > server will only listen for LDAPS requests.
> >>
> >>                     Regards Ashley
> >>
> >>
> >> On Thu, 3 May 2007, Eric Brown wrote:
> >>
> >>> I have got SSL set up and working, but I have not figured out
how I
> >>> can require that users only connect through a secure
connection (SSL
> >>> or TLS) and deny access to cleartext communication.
> >>>
> >>> I was able to do this with OpenLDAP, but it was done in the
slapd.conf
> >>> file. I have not found any documentation on how to set it up
or if it
> >>> is even possible with FDS.
> >>>
> >>> Is there any doc or does anyone have any information on how to
do
> this?
> >>>
> >>> Thanks
> >>> Eric
> >>>
> >>> --
> >>> Fedora-directory-users mailing list
> >>> Fedora-directory-users@redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>
> >>>
> >>> !DSPAM:272,4639f614145012118015795!
> >>>
> >>
> >
> >
> > !DSPAM:272,463b48cc91651926681497!
> >
>
> --
> Ashley Chew - Systems Administrator
> School of Computer Science and Software Engineering
> University of Western Australia
> Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089
> Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley
>
> "There is no such thing as Fate, Fate is what you make of it!"
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>