Hello, My understanding is that FreeIPA is configured to accept connections on port 389 and the StartTLS is configured. I managed to connect to the IPA server by using ldapsearch -x and without -ZZ so, I suppose the TLS is not enforced.
Is there any option force TLS connections only? Obviously, I would prefer something that can be replicated and not to manually edit the configuration files, but I can live with that :)
On 11/27/18 10:14 AM, Peter Tselios via FreeIPA-users wrote:
Hello, My understanding is that FreeIPA is configured to accept connections on port 389 and the StartTLS is configured. I managed to connect to the IPA server by using ldapsearch -x and without -ZZ so, I suppose the TLS is not enforced.
Is there any option force TLS connections only? Obviously, I would prefer something that can be replicated and not to manually edit the configuration files, but I can live with that :)
On the DS side you can set "nsslapd-require-secure-binds" to "on" under cn=config. Attributes under cn=config do not replicate so this would have to be done manually to all your instances:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Mark Reynolds -
Peter Tselios