Is it possible to use start_tls on port 389 without having anonymous
simple bind enabled? As far as I can tell it's not, but it would be
nice to have confirmation of this.

(eDirectory 8.8.5 SP2 on SuSE)

If I turn on "Require TLS for all operations", "Disallow Anonymous
Simple Bind", and "Require TLS for Simple Binds with Password", I cannot
seem to authenticate to my eDirectory instance on port 389 using
start_tls. (SSL port 636 still works fine.)

ldapsearch returns:


Code:
--------------------
ldapsearch -ZZ -x -h edirectory.example.com -D "cn=bob,o=example" -W -p 389 -LLL -P 3 -s one objectClass=* -v
ldap_initialize( ldap://edirectory.example.com:389 )
ldap_start_tls: Inappropriate authentication (48)
additional info: Anonymous Simple Bind Disabled.
--------------------


dstrace shows:


Code:
--------------------
INFO: Implied anonymous bind by operation 0x1:0x77 on connection 0x27cff780
INFO: Sending operation result 48:"":"Anonymous Simple Bind Disabled." to connection 0x27cff780
INFO: Monitor 0xf6107ba0 found connection 0x27cff780 socket closed, err = -5871, 0 of 0 bytes read
INFO: Monitor 0xf6107ba0 initiating close for connection 0x27cff780
INFO: Server closing connection 0x27cff780, socket error = -5871
INFO: Connection 0x27cff780 closed
--------------------


If I turn off "Disallow Anonymous Bind", it works fine, but I really
don't want to go mucking around with [PUBLIC] permissions to restrict
the proxy user to have no access. (It shouldn't break anything, but...)
So is there any way to allow connections on 389 to do START_TLS without
enabling anonymous simple bind?


--
jcfergus
------------------------------------------------------------------------
jcfergus's Profile: http://forums.novell.com/member.php?userid=402
View this thread: http://forums.novell.com/showthread.php?t=448803