Tuesday, March 10, 2020

[389-users] Re: Force use of secure connections

Also note that if your directory requires authentication before any data will be returned, you can use the require secure bind option (http://www.port389.org/docs/389ds/howto/howto-require-secure-binds.html) to force authentication over SSL first. In effect, no data will be returned over the non-SSL port unless the START_TLS extended operation is used.

-----Original Message-----
From: Mark Reynolds <mreynolds@redhat.com>
Sent: Tuesday, March 10, 2020 2:12 PM
To: General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org>; Rob Crittenden <rcritten@redhat.com>; Matthew Aguirre <matt.aguirre@einstein-tech.com>
Subject: [389-users] Re: Force use of secure connections


On 3/10/20 4:07 PM, Rob Crittenden wrote:
> Matthew Aguirre wrote:
>> Is there a way to disable unsecured use of port 389? I am using
>> FreeIPA, so the client setup uses port 389 with TLS and that is fine,
>> but I'd like to be able to not allow unsecured connections as much as
>> possible.
>>
>> I was able to do this in OpenLdap, but haven't seen a comparable
>> solution in ds-389.
> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%
> 3a%2f%2fwww.port389.org%2fdocs%2f389ds%2fhowto%2fhowto%2drequire%2dsec
> ure%2dbinds.html&umid=CA0A5F8D-A085-BD05-99E3-2547EC9F7145&auth=19120b
> e9529b25014b618505cb01789c5433dae7-25e3968a0c3410903a9ca98d49b36b9315c
> a1f08

The link Rob provided is the best option for you, but for the sake of completeness you can also disable the 389 port (but then you can't use
StartTLS):

https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.port389.org%2fdocs%2f389ds%2fhowto%2fhowto%2dlistensslonly.html&umid=CA0A5F8D-A085-BD05-99E3-2547EC9F7145&auth=19120be9529b25014b618505cb01789c5433dae7-81bd7367c4872f21b3f8bc37c1a4c83129fbb5e5

>
> rob
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org To
> unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https
> %3a%2f%2fdocs.fedoraproject.org%2fen%2dUS%2fproject%2fcode%2dof%2dcond
> uct%2f&umid=CA0A5F8D-A085-BD05-99E3-2547EC9F7145&auth=19120be9529b2501
> 4b618505cb01789c5433dae7-2e3c3001656ee1f3d2cd9c3ad40ae9e75a30e63d
> List Guidelines:
> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https
> %3a%2f%2ffedoraproject.org%2fwiki%2fMailing%5flist%5fguidelines&umid=C
> A0A5F8D-A085-BD05-99E3-2547EC9F7145&auth=19120be9529b25014b618505cb017
> 89c5433dae7-0fcafd28e101e834a706afc3cd5de0d2181b7876
> List Archives:
> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https
> %3a%2f%2flists.fedoraproject.org%2farchives%2flist%2f389%2dusers%40lis
> ts.fedoraproject.org&umid=CA0A5F8D-A085-BD05-99E3-2547EC9F7145&auth=19
> 120be9529b25014b618505cb01789c5433dae7-d982288bf9447c715674f80fb21b6b6
> 3604299eb

--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fdocs.fedoraproject.org%2fen%2dUS%2fproject%2fcode%2dof%2dconduct%2f&umid=CA0A5F8D-A085-BD05-99E3-2547EC9F7145&auth=19120be9529b25014b618505cb01789c5433dae7-2e3c3001656ee1f3d2cd9c3ad40ae9e75a30e63d
List Guidelines: https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2ffedoraproject.org%2fwiki%2fMailing%5flist%5fguidelines&umid=CA0A5F8D-A085-BD05-99E3-2547EC9F7145&auth=19120be9529b25014b618505cb01789c5433dae7-0fcafd28e101e834a706afc3cd5de0d2181b7876
List Archives: https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.fedoraproject.org%2farchives%2flist%2f389%2dusers%40lists.fedoraproject.org&umid=CA0A5F8D-A085-BD05-99E3-2547EC9F7145&auth=19120be9529b25014b618505cb01789c5433dae7-d982288bf9447c715674f80fb21b6b63604299eb
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

No comments:

Post a Comment