> Well, that's simply *not* true... says the guy who, 20-30 years ago, had
> to read IBM mainframe manuals
I can attest to IBM manuals of that era. :-)
Few years back while working for a bank I came across one of the
original manuals for the IBM 4702 Branch Controller. And I thought
early eSe
> One possible solution is to have the main LDAP server addressable only
> via STARTTLS and a non-SSL, read-only slave on a different host that's
> visible only to your LAN.
Very interesting.
It would also address some concerns I had with all these third-party
LDAP plugins having (potential) write
On Thu, 7 Oct 2010, Mathieu Baudier wrote:
>> You can also use StartTLS over the network and LDAPI (connection
>> over Unix sockets, which are inherently secure) for apps running on
>> the server. I use it, both with OpenLDAP and 389 Directory Server
>> (a.k.a. Fedora DS, Red Hat DS).
>
> Unfor
> You can also use StartTLS over the network and LDAPI (connection over Unix
> sockets, which are inherently secure) for apps running on the server. I use
> it, both with OpenLDAP and 389 Directory Server (a.k.a. Fedora DS, Red Hat
> DS).
Unfortunately, I have a whole LAN whose user/group/auth man
> The reason why I (think I) need both is that many third party apps on
> the server (PHP applications typically) do not easily manage StartTLS.
> Meanwhile, having two different ports make it easier to manage via iptables.
>
You can also use StartTLS over the network and LDAPI (connection over
lease help
Thank you.
> Date: Wed, 6 Oct 2010 22:27:08 +0100
> From: miguelmeda...@sapo.pt
> To: mbaud...@argeo.org
> CC: centos@centos.org
> Subject: Re: [CentOS] LDAP authentication on a remote server (via ldaps://)
> [SOLVED]
>
>
> >> Are you aware that SSL
> A quick search will provide plenty of articles about the subject.
Thanks, I had actually thought of using a search engine (as somebody
put it, part of the fun with configuring OpenLDAP is that you
definitely have to).
What I cannot find (yet) is whether there is a way to require StartTLS
only f
>> Are you aware that SSL on port 636 is now considered deprecated in favor of
>> START_TLS on port 389?
> No, I'm not (I actually thought that it was the other way round)
>
> (...)
>
> What are the pro and cons of both approaches?
>
> Comments more than welcome
You can, as an example, consult th
> Are you aware that SSL on port 636 is now considered deprecated in favor of
> START_TLS on port 389?
No, I'm not (I actually thought that it was the other way round)
I found it practical to have a port (389 or equivalent) that I could
authorize via iptables only on the local network., and anoth
Scott Robbins wrote:
> On Wed, Oct 06, 2010 at 06:35:14PM +0200, Mathieu Baudier wrote:
>>
>> IMHO, the comments in /etc/ldap.conf could be a bit more explicit on
>> the 'on' value:
>
> IMNSHO most docmentation on LDAP is laughable, and perhaps one of the
> main reasons Active Directory has become
On Wed, Oct 06, 2010 at 06:35:14PM +0200, Mathieu Baudier wrote:
>
> IMHO, the comments in /etc/ldap.conf could be a bit more explicit on
> the 'on' value:
IMNSHO most docmentation on LDAP is laughable, and perhaps one of the
main reasons Active Directory has become so much more popular. Say w
Are you aware that SSL on port 636 is now considered deprecated in favor
of START_TLS on port 389?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
> Here are the changes I'd review:
>
> 1. After installing the CA cert, did you create a hash link? E.g.,
>
> /usr/sbin/cacertdir_rehash /etc/openldap/cacerts
>
> 2. Make sure you know the difference between /etc/ldap.conf and
> /etc/openldap/ldap.conf. The former is used by nss_ldap, the
13 matches
Mail list logo
