I have setup my OpenLDAP server to use TLS and I can successfully bind/search/update/etc over a TLS connection. I have also set olcSecurity. Here is my database:
root@baneling:~/ldif_files# slapcat -F /etc/ldap/slapd.d -s olcDatabase={1}mdb,cn=config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=harmonywave,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym
ous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=harmonywave,dc=com
olcRootPW:: e1NTSEF9dUhDcE1jUUJoWlpuc0twRHBNQkVCUGtmTFA5SC9EYUU=
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: caa04334-6857-1035-9fbb-dd6671002504
creatorsName: cn=admin,cn=config
createTimestamp: 20160215174631Z
olcSecurity: simple_bind=256
olcSecurity: ssf=256
entryCSN: 20160215210910.287865Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20160215210910Z
When I try to do any sort of ldap operation without the -ZZ option then slapd returns a "TLS confidentiality required" message as it should and as I expect. However, If I sniff the wire, I still see the attempted bind request with my DN and password in plaintext.
Is there any way to force clients to use start_tls without sending any credentials over the wire (a.k.a. return an error message before a bind request is actually submitted) or does this have to be controlled outside of OpenLDAP?
Thanks,
Joshua