Hello,
I'm using openldap 2.4.28 on ubuntu server and configured TLS. I want to allow write operations only when ssf=256 is used. (security update_ssf=256) Certificates were set up with openssl CA.pl.
When I connect via # ldapadd -Y EXTERNAL -ZZ -f /src/test.ldif
I get this: SASL/EXTERNAL authentication started SASL username: cn=ldapadmin,............. SASL SSF: 0 adding new entry "dc=example,dc=com" ldap_add: Confidentiality required (13) additional info: stronger confidentiality required for update
the log says: Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 ACCEPT from IP=127.0.0.1:56698 (IP=0.0.0.0:389) Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 STARTTLS Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 RESULT oid= err=0 text= Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 TLS established tls_ssf=128 ssf=128 Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND dn="" method=163 Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND authcid="cn=ldapadmin,........." authzid="cn=ldapadmin,........" Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND dn="cn=ldapadmin,......." mech=EXTERNAL sasl_ssf=0 ssf=128 Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 RESULT tag=97 err=0 text= Oct 8 19:38:14 ldap slapd[2205]: connection_input: conn=1003 deferring operation: binding Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=2 ADD dn="dc=example,dc=com" Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=2 RESULT tag=105 err=13 text=stronger confidentiality required for update Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=3 UNBIND Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 closed
1. Why is the client connecting with ssf=128? 2. Can I influence the ssf used by client, if yes, how? 3. Maybe a certificate issue?
Thanks in advance, Tobias Hachmer