Thanks to Eric AUGE, I'm now using this patch succesfully with TLS (instead of SSL ldaps).
I convert all my configurations files to TLS (currently pam_ldap, nss_ldap, sudo_ldap and ssh-lpk :).
That's work fine (with some nscd tuning).
I have one question however; with ldaps(ldap over ssl), all my connexions are encrypted.
With TLS I can force using TLS on the client side (in all the conf files : libnss_ldap.conf, pam_ldap.conf, ldap.conf),
but not on the server side... I have not found the correct settings to accept only TLS request with openldap.
So someone could use ldapsearch for example and make a unencrypted request to the server.
It's not so cool because my unix servers are on an a untrusted network.
So my only alternative for now is to continue using ldaps ; and not using ssh-lpk :-(
Any ideas ?
Is there something I missed ?
--
Raphael Mazelier
_______________________________________________
Openssh-lpk mailing list
Openssh-lpk@...
http://www.opendarwin.org/mailman/listinfo/openssh-lpk
