https://bugs.openldap.org/show_bug.cgi?id=9698
Issue ID: 9698 Summary: per database olcSecurity: tls=0 does not override olcSecurity: tls=1 from the frontend Product: OpenLDAP Version: 2.5.7 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: dpa-openldap@aegee.org Target Milestone: ---
I have these databases:
cn=config frontend,cn=config mdb/suffix o=A,cn=config mdb/suffix o=B,cn=confix
slapd listens on port 389.
I want to make sure, that • all requests to suffix o=A are served after STARTTLS, as these come from the wild internet. • all requests to suffix o=B do not have to utilize STARTTLS (ldaps), as these are local to the machine, and • if a request to the root DSE is made, without using STARTTLS, the client shall gets “ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required”.
To enforce STARTTLS for suffix o=A I put there `olcSecurity: tls=1`.
If I set
dn: olcDatabase=frontend,cn=config olcAccess: to dn="" by tls_ssf=256 * read
and the rootDSE is requested without STARTTLS, the result is just empty, rather than “ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required”.
To get the “confidentiality required” for the root DSE I have to put
dn: olcDatabase=frontend,cn=config olcSecurity: tls=1
or
dn: cn=config olcSecurity: tls=1
It was unclear to me which one shall I use, but both serve the same purpose.
Now, I want to enable no-STARTTLS to suffix o=B. I put there “olcSecurity: tls=0”. Irrespective, if only cn=config, or only olcDatabase=frontend,cn=config contain “olcSecurity: tls=1” the “olcSecurity: tls=0” in suffix o=B is not enacted.