You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Stefan Humbold (JIRA)" <ji...@apache.org> on 2016/02/26 16:58:18 UTC

[jira] [Closed] (DIRSERVER-2126) Possibility to set 'StartTLS enforced' through some parameter

     [ https://issues.apache.org/jira/browse/DIRSERVER-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefan Humbold closed DIRSERVER-2126.
-------------------------------------
    Resolution: Not A Problem

It is already working!

Setting the value of attribute ads-confidentialityRequired to TRUE and restart the server,
This attribute is present in the entry ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config

Tested with M21 and JRE8



> Possibility to set 'StartTLS enforced' through some parameter
> -------------------------------------------------------------
>
>                 Key: DIRSERVER-2126
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2126
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 2.0.0-M21
>         Environment: All Apache-DS Versions, all operating systems.
>            Reporter: Stefan Humbold
>            Priority: Critical
>
> Up to now (M21) it ist not possible to set the communication protocol to 'StartTLS enforced'.
> We don't want to offer our ldap-clients an unsecure way to talk with our LDAP-Server. Yes I can disable the default-Port 389 and only enable the SSL-Port 636 .But there is written in the DS documentation: " **LDAPS** is considered as deprecated. You should always favor startTLS instead. "
> And I also need the port 389 (with StartTLS) for replication, so i can not disable it.
> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But the users can still connect without TLS.
> I found this interesting paper:
> http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf
> --> see Caption caption 3.5:  
> "The correct and standard approach is to start LDAP without encryption and then negotiate the TLS security layer. If necessary, the server can be configured to refuse all operations other than 'Start TLS' until TLS is in place"
> In OpenLDAP you can enforce TLS through some
> parameter, and I think that would be a good addition to ApacheDS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)