On Tue, 26 Aug 2014, Tom wrote:
I'm running OpenLDAP 2.4 on CentOS. I'm trying to set it up so clients can use the ldapi:/// socket without TLS, but any clients using ldap:// must use TLS.
I believe that the relevant olc variables are olcLocalSSF and olcSecurity. I can't get it to work - either TLS is required no matter which URI I use, or clients can connect without TLS at all.
According to the docs, if I set olcLocalSSF to 128, and olcSecurity to ssf=128, it should work, but it's not. I can only connect without TLS if I delete the olcSecurity attribute, which allows anyone to connect without TLS.
Has anyone else seen this behaviour?
A 60 second test on an old dev box I had lying around with 2.4.35 using slapd.conf with security ssf=128 localSSF 128
found it works Just Fine there: searches with -H ldapi:// or -H ldap:// -ZZ or -H ldaps://
work, while searches with -H ldap://
fail with: ldap_bind: Confidentiality required (13) additional info: confidentiality required
So, maybe use 'config' logging to verify your bits are being processed correctly and if so, provide _complete_ information with a dump of your cn=config (passwords stripped), the logging, and your test cases w/results.
Philip Guenther