https://bugs.openldap.org/show_bug.cgi?id=9698
Issue ID: 9698 Summary: per database olcSecurity: tls=0 does not override olcSecurity: tls=1 from the frontend Product: OpenLDAP Version: 2.5.7 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: dpa-openldap@aegee.org Target Milestone: ---
I have these databases:
cn=config frontend,cn=config mdb/suffix o=A,cn=config mdb/suffix o=B,cn=confix
slapd listens on port 389.
I want to make sure, that • all requests to suffix o=A are served after STARTTLS, as these come from the wild internet. • all requests to suffix o=B do not have to utilize STARTTLS (ldaps), as these are local to the machine, and • if a request to the root DSE is made, without using STARTTLS, the client shall gets “ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required”.
To enforce STARTTLS for suffix o=A I put there `olcSecurity: tls=1`.
If I set
dn: olcDatabase=frontend,cn=config olcAccess: to dn="" by tls_ssf=256 * read
and the rootDSE is requested without STARTTLS, the result is just empty, rather than “ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required”.
To get the “confidentiality required” for the root DSE I have to put
dn: olcDatabase=frontend,cn=config olcSecurity: tls=1
or
dn: cn=config olcSecurity: tls=1
It was unclear to me which one shall I use, but both serve the same purpose.
Now, I want to enable no-STARTTLS to suffix o=B. I put there “olcSecurity: tls=0”. Irrespective, if only cn=config, or only olcDatabase=frontend,cn=config contain “olcSecurity: tls=1” the “olcSecurity: tls=0” in suffix o=B is not enacted.
https://bugs.openldap.org/show_bug.cgi?id=9698
--- Comment #1 from Howard Chu hyc@openldap.org --- That's how it works. You can only increase the security level in a database-specific config, you cannot reduce it below the setting in the frontend.
https://bugs.openldap.org/show_bug.cgi?id=9698
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|UNCONFIRMED |RESOLVED
https://bugs.openldap.org/show_bug.cgi?id=9698
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Status|RESOLVED |VERIFIED
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- I would note that you can use the ACLs to ensure a specific security level is used and/or TLS is used when accessing a particular portion of the DIT.
https://bugs.openldap.org/show_bug.cgi?id=9698
--- Comment #3 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- Can I use the ACLs to return the error “ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required”? (I mean, when olcSecurity is not set / not tls=1.)
https://bugs.openldap.org/show_bug.cgi?id=9698
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to dpa-openldap@aegee.org from comment #3)
Can I use the ACLs to return the error “ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required”? (I mean, when olcSecurity is not set / not tls=1.)
no.