2 Replies Latest reply: Apr 8, 2014 10:59 AM by fchagnon RSS

    Forcing Encrypted connections with OUD

    fchagnon

      I have an OUD environment that supports both LDAP/TLS on the LDAP Connection Handler, as well as LDAPS on the LDAPS Connection Handler.

      LDAP/TLS is the standard for our OEL systems which use LDAP as their identity store via sssd. LDAPS is used by Solaris systems.

       

      I would like to prevent the use of clear-text communication to the LDAP Connection Handler. I've noticed that this is only possible by forcing client-side certificates (tls_reqcert), and setting the LDAP server to "require" these client side certificates. Presently, in order to communicate securely with the LDAP server, the client systems have the trust of the root CA used to sign the server certificates on each LDAP server. This assures the client that the server is legitimate, but does not provide the server with any client-side assurance.

       

      With 1,000's of LDAP client systems to support, I was hesitant to employ a model that required client-side certificate management. Is this the only way to ensure that no clear-text communication is poossible on the LDAP Connection Handler port, and that TLS is required at all times?

       

      Fred