Software
 » 
Apache
 » 
Apache Directory Project

 « Return to Thread: [jira] Created: (DIRSERVER-639) allow to run ldaps only

[jira] Commented: (DIRSERVER-639) allow to run ldaps only

by JIRA jira@apache.org :: Rate this Message:

Reply to Author | View in Thread

    [ http://issues.apache.org/jira/browse/DIRSERVER-639?page=comments#action_12415483 ]

Emmanuel Lecharny commented on DIRSERVER-639:
---------------------------------------------

Ok, get it !

There is something that bug me : the server is supposed to start on 10389, not 389, with default configuration, no?

Ok then, whatever. That's true that we don't have an option to start the server on SSL only. We can add one in a future release, that's not very difficult. But to me, it seems to be much more a firewall setting than anything else, isn't it? If you forbid incomming request to port xx389 in your firewall, it should be ok (at least, this is an option while waiting for a new version of ADS which will be SSL enabled only).

Second point, if you are running ADS in a Un*x box, then you have many choice, but do not run it as root. Even if using port 389, use a SUDO to launch the server, which should run using a special user (ldap, group ldap, for instance). If you choose to run on a port above 1024, you can launch ADS without using SUDO. You can also chroot the whole ADS for security reason. But never ever launch the server as root ! If this is not clear, we can add a page on confluence to help guys with such questions, because these are really important questions.

> allow to run ldaps only
> -----------------------
>
>          Key: DIRSERVER-639
>          URL: http://issues.apache.org/jira/browse/DIRSERVER-639
>      Project: Directory ApacheDS
>         Type: Improvement

>   Components: ldap
>  Environment: all
>     Reporter: Ralf Hauser

>
> In our environment, we should not disclose anything without encrypting it in transmission.
> When trying to only start ldaps by simply not setting
>    cfg.setLdapPort(...);
> apparently the default 389 is taken that in turn cannot be used if apacheDs is not started as root...
> How can I avoid just
>   cfg.setLdapPort(2389);
> or at least shutting it down immediately afterwards.
> see also DIR-185

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

 « Return to Thread: [jira] Created: (DIRSERVER-639) allow to run ldaps only

LightInTheBox - Buy quality products at wholesale price!
Free Forum Powered by Nabble Forum Help