On 08/09/2010 04:37 PM, Jonathan Boulle wrote: > 2) Block access at a socket level (e.g. iptables or otherwise) to the > cleartext LDAP port; e.g. drop traffic to 389 and only allow traffic to 636
FWIW we use iptables to block access to the unencrypted port (save for a handful of special cases). It works well, is easy to understand and maintain, and doesn't require mucking with the 389 application at all. It's a clean solution, imho. -- Daniel Maher <dma + 389users AT witbe DOT net> -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
