Wednesday January 25, 2006
Wednesday January 25, 2006 Frequently-Asked Questions #2: Disabling Non-SSL Access
Q: Normally, when I enable SSL in the Directory Server, I get both SSL and non-SSL listeners active. Is there any way to disable the non-SSL listener so that it will only accept SSL-based connections?A: The short answer is "Yes", it is possible to do this. But there is a longer answer because there are a couple of ways to achieve the desired result.
If you really do want to completely disable non-SSL access to the server, then you can do so by setting the value of the nsslapd-port configuration attribute to zero. This isn't really publicly documented, but this behavior has existed for years and isn't likely to change in either the 5.x or the upcoming 6.x release. With this setting, then the server won't listen at all for non-SSL connections, so there is no way to accept connections from non-SSL clients.
Note, however, that if you do completely disable all SSL access, then certain things will stop working. This includes various administrative scripts that come with the Directory Server and expect to be able to communicate without SSL, including bak2db.pl, db2bak.pl, db2index.pl, db2ldif.pl, ldif2db.pl, ldif2ldap, monitor, ns-accountstatus.pl, ns-activate.pl, and ns-inactivate.pl. All of these scripts expect to be able to communicate with the server over the loopback address without using SSL. Similarly, other things like the administration server and console might need to be configured to use SSL for their communication with the server.
One way to deal with this requirement is to simply update all these components to ensure that they will be able to communicate over SSL before disabling non-SSL access. This isn't really that much work, since in most cases it simply requires finding the ldapsearch command line in the script and adding the appropriate options (in particular, adding -Z to enable SSL, adding -P to specify the path to the certificate database, and updating -p to point to the SSL-enabled port). However, you should be aware that these updates could possibly (although it is unlikely) be undone if you upgrade or patch the server and any changes have been made to these scripts over the previous version.
Another (and IMHO, better) approach that you can take is to leave non-SSL access enabled for the Directory Server but to constrain it so that it is only allowed for the loopback interface. You can achieve this by setting the value of the nsslapd-listenhost configuration attribute to "127.0.0.1". This will ensure that remote systems will not be able to communicate with the server without using SSL, but that local scripts will continue working as expected. Since no network communication will appear in the clear this still achieves the desired effect but in a much more convenient manner.
Posted by cn_equals_directory_manager ( Jan 25 2006, 09:07:59 AM CST ) Permalink
| Archives | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Language | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Links | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Referrers | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Today's Page Hits: 81 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||