FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 08-09-2010, 02:29 PM
Antony
 
Default Allow only SSL-connections

Hi all.

I'd like to make 389 Port DS allow only secure(SSL/TLS) connections and to disable listening for non-SSL connections.
Is it possible? If so, how would I do that?

Thanks in advance!
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-09-2010, 02:37 PM
Jonathan Boulle
 
Default Allow only SSL-connections

We couldn't find a "straightforward" option for this (if someone wiser knows one please enlighten me!), so as far as we worked out there are two means of achieving this:

1) Combination of two config options: nsslapd-allow-anonymous-access: off + nsslapd-require-secure-binds: on
First means that users must bind to the directory before doing anything
Second means that users can only bind when a session is encrypted with TLS
As mentioned here - http://lists.fedoraproject.org/pipermail/389-users/2010-January/010761.html - and elsewhere in the docs

2) Block access at a socket level (e.g. iptables or otherwise) to the cleartext LDAP port; e.g. drop traffic to 389 and only allow traffic to 636

-----Original Message-----
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Antony
Sent: Monday, August 09, 2010 3:29 PM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Allow only SSL-connections

Hi all.

I'd like to make 389 Port DS allow only secure(SSL/TLS) connections and to disable listening for non-SSL connections.
Is it possible? If so, how would I do that?

Thanks in advance!
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-09-2010, 02:45 PM
Rich Megginson
 
Default Allow only SSL-connections

Jonathan Boulle wrote:
> We couldn't find a "straightforward" option for this (if someone wiser knows one please enlighten me!), so as far as we worked out there are two means of achieving this:
>
> 1) Combination of two config options: nsslapd-allow-anonymous-access: off + nsslapd-require-secure-binds: on
> First means that users must bind to the directory before doing anything
> Second means that users can only bind when a session is encrypted with TLS
> As mentioned here - http://lists.fedoraproject.org/pipermail/389-users/2010-January/010761.html - and elsewhere in the docs
>
> 2) Block access at a socket level (e.g. iptables or otherwise) to the cleartext LDAP port; e.g. drop traffic to 389 and only allow traffic to 636
>
See http://directory.fedoraproject.org/wiki/SSF_Restrictions
> -----Original Message-----
> From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Antony
> Sent: Monday, August 09, 2010 3:29 PM
> To: 389-users@lists.fedoraproject.org
> Subject: [389-users] Allow only SSL-connections
>
> Hi all.
>
> I'd like to make 389 Port DS allow only secure(SSL/TLS) connections and to disable listening for non-SSL connections.
> Is it possible? If so, how would I do that?
>
> Thanks in advance!
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-09-2010, 04:07 PM
Daniel Maher
 
Default Allow only SSL-connections

On 08/09/2010 04:37 PM, Jonathan Boulle wrote:

> 2) Block access at a socket level (e.g. iptables or otherwise) to the cleartext LDAP port; e.g. drop traffic to 389 and only allow traffic to 636

FWIW we use iptables to block access to the unencrypted port (save for a
handful of special cases). It works well, is easy to understand and
maintain, and doesn't require mucking with the 389 application at all.
It's a clean solution, imho.

--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-12-2010, 01:06 PM
Juan Asensio Sánchez
 
Default Allow only SSL-connections

You can set nsslapd-port to 0 in dse.ldif, so the server will not listen in the 389 port.

2010/8/9 Daniel Maher <dma+389users@witbe.net>


On 08/09/2010 04:37 PM, Jonathan Boulle wrote:



> 2) Block access at a socket level (e.g. iptables or otherwise) to the cleartext LDAP port; e.g. drop traffic to 389 and only allow traffic to 636



FWIW we use iptables to block access to the unencrypted port (save for a

handful of special cases). *It works well, is easy to understand and

maintain, and doesn't require mucking with the 389 application at all.

It's a clean solution, imho.



--

Daniel Maher <dma + 389users AT witbe DOT net>

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 01:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org