Red Hat SummitChapter 3. Requiring LDAPS or STARTTLS for encrypted connections
To prevent sending unencrypted passwords over the network, you can configure Directory Server to require users to use LDAPS or STARTTLS encryption when connecting to the server.
3.1. Configuring Directory Server using the command line to accept only connections encrypted with LDAPS or STARTTLS
By default, Directory Server allows authentication using a bind DN and a password over unencrypted connections, which is a security risk. Suppose you cannot use an alternative secure mechanism, such as certificate-based authentication or SASL. In that case, you can configure Directory Server to require an encrypted connection when authenticating to the server using TLS or STARTTLS.
Requiring a secure connection for bind operations only applies to authenticated binds. Bind operations without a password, such as anonymous and unauthenticated binds, can proceed over standard connections.
Prerequisites
- You configured existing server-to-server connections, such as replication agreements, to use secure binds.
Procedure
Set the
nsslapd-require-secure-bindsconfiguration parameter toon:# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-require-secure-binds=onOptional: If you want to use LDAPS, disable the plain text LDAP port:
# dsconf -D "cn=Directory Manager" ldap://server.example.com security disable_plain_portRestart the instance:
# dsctl instance_name restart
When you enable this feature, it is required for all connections. For example, this includes replication agreements, synchronization, and database chaining.
3.2. Configuring Directory Server using the web console to accept only connections encrypted with LDAPS or STARTTLS
By default, Directory Server allows authentication using a bind DN and a password over unencrypted connections, which is a security risk. Suppose you cannot use an alternative secure mechanism, such as certificate-based authentication or SASL. In that case, you can configure Directory Server to require an encrypted connection when authenticating to the server using TLS or STARTTLS.
Requiring a secure connection for bind operations only applies to authenticated binds. Bind operations without a password, such as anonymous and unauthenticated binds, can proceed over standard connections.
Prerequisites
- You configured existing server-to-server connections, such as replication agreements, to use secure binds.
- You are logged in to the instance in the web console.
Procedure
-
Navigate to
, select the Require Secure Connectionsoption, and click . -
Optional: If you want to use LDAPS, navigate to
, and set LDAP Portto0to disable the plain text LDAP port. Click . -
Click in the top right corner, and select
Restart Instance.
When you enable this feature, it is required for all connections. For example, this includes replication agreements, synchronization, and database chaining.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}