[Freeipa-users] Re: Allowing LDAP only via SSL?
As far as I underrstand, the vanilla installation of the freeipa
server allows clients to communicate with the LDAP server with or
without SSL. We need to configure both, clients to always use
SSL, and the server to reject non-SSL communication attempts.
Where can I find the relevant documentation about setting this up,
please?
You can set this option:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
But it breaks one or two things that may or may not be essential in your environment, so
you'll want to test carefully.
It also cannot prevent a misconfigured client from blurting out a password in plaintext
when performing a simple bind over port 389. Blame the flawed design of the LDAP protocol
for that. But at least you can prevent such a bind from succeeding with:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
FreeIPA servers/clients need to be able to communicate IPA servers securely without using
TLS; GSSAPI is used for Kerberos-based integrity and confidentiality over port 389. The CA
component of FreeIPA is optional, after all. :)
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9