On Fri, 22 Aug 2008, Ben Wailea, openldap-software wrote: ...
ldapadd & ldapsearch seem to work over TLS as well,
ldapadd -ZZ -x -D "cn=admin,dc=domain,dc=com" -f /etc/openldap/admin.ldif -w 'secret'
...
with slapd.log showing,
Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 ACCEPT from IP=192.168.1.17:34861 (IP=192.168.1.17:389) Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 STARTTLS Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 RESULT oid= err=0 text= Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 TLS established tls_ssf=256 ssf=256
...
Note the EXT/STARTTLS/TLS log messages there, showing that the client (ldapadd) actually used the STARTTLS operation.
...
but, on slapd service (re)start, i see in slapd.log,
Aug 22 11:02:47 ldap slapd[31441]: slapd starting Aug 22 11:02:48 ldap slapd[31441]: conn=0 fd=12 ACCEPT from IP=192.168.1.17:42320 (IP=192.168.1.17:389) Aug 22 11:02:48 ldap slapd[31441]: conn=0 op=0 BIND dn="" method=128
Note the *lack* of those EXT/STARTTLS/TLS messages. The client that made that connection didn't use the StartTls operation, so it wasn't using an encrypted connection so...
Aug 22 11:02:48 ldap slapd[31441]: conn=0 op=0 RESULT tag=97 err=13 text=TLS confidentiality required
...the bind was in the clear, which your slapd configuration rejects.
what are these multiple connection "text=TLS confidentiality required" errors due to?
Those are clients that don't use StartTLS when your server config requires it.
i'm guessing it has to do with security restrictions set in slapd.conf.
reading @ http://www.openldap.org/doc/admin24/security.html, i've,
Hmm, I don't see these options on that web page.
... security ssf=256 tls=256 update_tls=256 simple_bind=256
That seems like an unusual and/or redundant set of requirements. If I'm reading things correctly, that line should have the exact same behavior as this one: security tls=256
I.e., refuse to do _anything_ unless TLS is negotiated with an SSF of at least 256 (i.e., 256 bit encryption cipher). Is that *really* the requirement you mean to enforce?
disallow tls_2_anon
Hmm, why do you set that option? Do you know why the default isn't to do that?
require bind LDAPv3
I get the sense that you want to lock this server down by banning anything you aren't sure about.
are these settings correct, and/or are they resposible for those slapd.log messages? something else?
"Correct" depends on what you're trying to acheive.
Yes, they're responsible: you told the server "require TLS!" so it's refusing the clients that don't use TLS. I'm surprised it's a question.
Philip Guenther