From: Kurt Zeilenga Date: Mon, 26 Aug 2002 22:10:32 +0000 (+0000) Subject: Add note regard StartTLS over 389. X-Git-Tag: NO_SLAP_OP_BLOCKS~1166 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=09e64b6fe80d43a040d04048341ac20f488084e3;p=openldap Add note regard StartTLS over 389. --- diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf index 8f9967608e..0ebc872a24 100644 --- a/doc/guide/admin/security.sdf +++ b/doc/guide/admin/security.sdf @@ -24,8 +24,8 @@ E.g.: While the server can be configured to listen on a particular interface address, this doesn't necessarily restrict access to the server to only those networks accessible via that interface. To selective -restrict remote access, it is recommend that an IP Firewall be -used to restrict access. +restrict remote access, it is recommend that an {{SECT:IP Firewall}} +be used to restrict access. See {{SECT:Command-line Options}} and {{slapd}}(8) for more information. @@ -39,7 +39,10 @@ interface used to communicate with the client. Generally, {{slapd}}(8) listens on port 389/tcp for LDAP over {{TERM:TCP}} (e.g. {{F:ldap://}}) and port 636/tcp for LDAP over -{{TERM:SSL}} (e.g. {{F:ldaps://}}). +{{TERM:SSL}} (e.g. {{F:ldaps://}}). Note that LDAP over TCP +sessions can be protected by {{TERM:TLS}} through the use of +{{StartTLS}}. StartTLS is the Standard Track mechanism for protecting +LDAP sessions with TLS. As specifics of how to configure IP firewall are dependent on the particular kind of IP firewall used, no examples are provided here. @@ -57,6 +60,8 @@ For example, the {{host_options}}(5) rule: allows only incoming connections from the private network {{F:10.0.0.0}} and localhost ({{F:127.0.0.1}}) to access the directory service. +Note that IP addresses are used as {{slapd}}(8) is not normally +configured to perform reverse lookups. It is noted that TCP wrappers require the connection to be accepted. As significant processing is required just to deny a connection,