That was it.
I'm using 2.4.11 now compiled against openssl and it's working.


On Wed, Jul 30, 2008 at 7:36 PM, Quanah Gibson-Mount <> wrote:
I doubt that's the SSL that OpenLDAP is compiled against.  It looks to me like it is compiled against GnuTLS, and likely affected by ITS#5585, which was fixed in OpenLDAP 2.4.11.  If that's correct, then the real TLS value is 256.  Have you actually run ldd on slapd to see what libraries it is linked against for SSL?


--On Wednesday, July 30, 2008 1:16 PM -0400 J Davis <> wrote:

Openssl 0.9.8g-4ubuntu3.3


On Wed, Jul 30, 2008 at 12:02 PM, Buchan Milne
<> wrote:

On Wednesday 30 July 2008 15:59:52 J Davis wrote:

I'm testing an installation of openldap 2.4.9. I want to enforce TLS for
all access to the directory.
My problem is that I cannot get the client to meet the ssf restictions I
have in place. The documentation I've seen on ssf and tls_ssf is very
sparse so I don't really understand what it does.

I'm using self signed cert created using the openssl script.

Relevant portions of the slapd.conf...

   TLSCACertificateFile /etc/ldap/ssl/cacert.pem
   TLSCertificateFile /etc/ldap/ssl/servercrt.pem
   TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem
   access to *
       by tls_ssf=128 ssf=128 anonymous auth
       by tls_ssf=128 ssf=128 self write

Relevant portions of the lapd.conf...

   TLS_CACERT /etc/ldap/ssl/cacert.pem

With those ACLs in place I get the following error:

   $ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b
   ldap_bind: Invalid credentials (49)

And slapd in debug mode shows me that I didn't meet the ssf

   connection_read(15): unable to get TLS client DN, error=49 id=0
   conn=0 fd=15 TLS established tls_ssf=32 ssf=32
   <= check a_authz.sai_tls_ssf: ACL 128 > OP 32

What ssl implementation is your slapd using ?


Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration