Hi all - As part of routine security remediation my company asked me to remove the support for older TLS versions from my LDAP server. To this effect I restarted the service after running the following:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -a -f olcTLSProtocolMin.ldif
Here is the content of olcTLSProtocolMin.ldif
dn: cn=config changetype: modify add: olcTLSProtocolMin olcTLSProtocolMin: 3.3
When I look at the /etc/ldap/slapd.d/cn=config.ldif file I can see the olcTLSProtocolMin: 3.3 entry. however, when I scan the LDAP server using Nessus, the scanner reports older versions of TLS still available. Also if I scan the supported TLS version using nmap it also reports TLS1.0-TLS1.2
If it helps here is the cn=config.ldif file is here dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: stats sync
olcPidFile: /var/run/slapd/slapd.pid
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/my_cert.pem
olcTLSCertificateKeyFile: /etc/ssl/private/my_slapd_key.pem
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: SomeUUID
creatorsName: cn=config
createTimestamp: 20160311213839Z
olcTLSProtocolMin: 3.3
entryCSN: 20220601202658.429433Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber
Any help will be greatly appreciated.
JRosario