I doubt that's the SSL that OpenLDAP is compiled against. It looks to me like it is compiled against GnuTLS, and likely affected by ITS#5585, which was fixed in OpenLDAP 2.4.11. If that's correct, then the real TLS value is 256. Have you actually run ldd on slapd to see what libraries it is linked against for SSL?
--Quanah
--On Wednesday, July 30, 2008 1:16 PM -0400 J Davis mrsalty0@gmail.com wrote:
Openssl 0.9.8g-4ubuntu3.3
Thanks, -Jake
On Wed, Jul 30, 2008 at 12:02 PM, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Wednesday 30 July 2008 15:59:52 J Davis wrote:
Greetings,
I'm testing an installation of openldap 2.4.9. I want to enforce TLS for all access to the directory. My problem is that I cannot get the client to meet the ssf restictions I have in place. The documentation I've seen on ssf and tls_ssf is very sparse so I don't really understand what it does.
I'm using self signed cert created using the openssl CA.sh script.
Relevant portions of the slapd.conf...
TLSCACertificateFile /etc/ldap/ssl/cacert.pem TLSCertificateFile /etc/ldap/ssl/servercrt.pem TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem ... access to * by tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self writeRelevant portions of the lapd.conf...
TLS_CACERT /etc/ldap/ssl/cacert.pemWith those ACLs in place I get the following error:
$ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b"uid=jake,ou=people,dc=example,dc=com" ldap_bind: Invalid credentials (49)
And slapd in debug mode shows me that I didn't meet the ssf requirments...
connection_read(15): unable to get TLS client DN, error=49 id=0 conn=0 fd=15 TLS established tls_ssf=32 ssf=32 ... <= check a_authz.sai_tls_ssf: ACL 128 > OP 32What ssl implementation is your slapd using ?
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration