On Thu, 7 Oct 2010, Mathieu Baudier wrote: >> You can also use StartTLS over the network and LDAPI (connection >> over Unix sockets, which are inherently secure) for apps running on >> the server. I use it, both with OpenLDAP and 389 Directory Server >> (a.k.a. Fedora DS, Red Hat DS). > > Unfortunately, I have a whole LAN whose user/group/auth management > is centralized with LDAP (each server having different apps). So I > need plain LDAP access on the LAN. One possible solution is to have the main LDAP server addressable only via STARTTLS and a non-SSL, read-only slave on a different host that's visible only to your LAN. Read up on the "syncrepl" directive for use in slapd.conf. The slave could even exist in a VM hosted on the main LDAP server, since it's a very lightweight service. -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/