On Dec 21, 2012, at 10:00 AM, Wiebe Cazemier wiebe@halfgaar.net wrote:
Hi,
I'm trying to get slapd to reject non-encrypted connections, but nowhere can I find how you configure it to *only* accept TLS traffic. I just confirmed that our server accepts unencrypted traffic (with ldapsearch and tcpdump). Normally, I would just close the non-SSL port with IP tables, but using the SSL port is deprecated, apparently, so I don't have that option.
So, with the cn=config SSL configuration commands, like this:
dn: cn=config changetype:modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/bla.key
replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/bla.crt
replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/ca.pem
Is there a param for forcing TLS? I tried:
dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: TLSv1+RSA:!NULL
but it doesn't work; the server doesn't start. Debug output:
TLS: could not set cipher list TLSv1+RSA:!NULL. main: TLS init def ctx failed: -1 slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy.
Nor does "olcTLSCipherSuite: HIGH" work.
I looked in the openldap source code, but even there, I can't find how to do it.
Slapd: 2.4.21-0ubuntu5.7 Ubuntu: Ubuntu 10.04.4 LTS
I added an olcSecurity attribute to the database directives for the parts of the server's DIT where I wish to require TLS. To start with I set the value "tls=1".
See also:
http://itsecureadmin.com/tag/openldap/