Hey, 2012/3/6 Michael Ströder <[email protected]>
> [email protected] wrote: > >> I have the following question: we have about 100 LDAP applications running >> to our Novell LDAP interface. Some work on port 636, some on 389. Now I >> want to set the parameter "require TLS for simple bind with password". My >> understanding was that TLS (or StartTLS) is an additional feature which >> can >> be used (but must not be used) and that therefore the running applications >> should not be affected. I had to learn that this is not true. Can you help >> me to identify the requirements to understand which applications would be >> affected by this change? >> > > IIRC this vendor-specific configuration option in eDirectory lets all > simple bind requests fail if not sent either over LDAPS or LDAP with > StartTLS. This is simply considered your local policy. There are similar > configuration options in other directory server products. > > And some eDirectory-specific operations (e.g. Universal password > extraction with GetNMASPassword extended request) cannot be done without > encrypted connection at all. > > Well, as Michael already mentioned, the configuration option "require TLS for simple bind with password" will almost certainly implement a policy to reject any [simple] bind request that was not sent over LDAPS or LDAP with StartTLS. So, you must ensure that all applications connect to your eDirectory either via LDAPS or LDAP with StartTLS before implementing that policy. You should consult your directories' documentation for details on that configuration option. Regards, Linus
