diff options
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 34 |
1 files changed, 24 insertions, 10 deletions
@@ -44,25 +44,39 @@ suffix in the `suffix` key of the json config file. By default, `gobottin` connects to the Consul server on localhost. Change this by specifying the `consul_host` key in the json config file. -## Bind address +## Bind addresses -By default, `gobottin` listens on all interfaces on port 389. -Change this by setting the `bind_address` key in the json config file. +### Insecure port + +By default, `gobottin` listens on all interfaces on port 389 for standard +non-TLS connections. Change the value of the `bind` key in the json config +file to change this behaviour (default value: `0.0.0.0:389`). An empty string +will disable this port and `gobottin` will not listen for non-TLS connections. + +### Secure port + +If a TLS configuration is provided (see next section), `gobottin` also listens +on all interfaces on port 636 for TLS connections. Change the value of the +`bind_secure` key in the json config file to change this behaviour (default +value: `0.0.0.0:636`). An empty string will disable this port and `gobottin` +will not listen for TLS connections. ## TLS -`gobottin` supports TLS connections either as a mandatory default for all -connections or using the STARTLS functionnality of the LDAP protocol. To use -it, specify the following three keys in the json config file: +`gobottin` supports TLS connections using either fully secure connections or +using the STARTLS functionnality of the LDAP protocol to upgrade from an +insecure connection. To use it, specify the following three keys in the json +config file: - `tls_server_name`: the host name that clients will use to reach your LDAP server - `tls_cert_file`: path to your TLS certificate (a `.pem` file) - `tls_key_file`: path to your TLS key (a `.pem` file) -Specify `"use_starttls": true` to allow connections to start as insecure -connections and allow them to use the STARTTLS mechanism to upgrade to a secure -connection. If `use_starttls` is not specified or set to `false`, TLS is made -mandatory for all clients. +If a TLS configuration is provided, the `STARTTLS` mechanism may be used on the +insecure port, independently of whether the secure port is enabled or not. + +The secure port is disabled and a warning is shown if the `bind_secure` value +is set (non-empty) and no valid TLS configuration is provided. ## Access control list |