Hi,
I'm tying achieve the following with OpenLDAP RE24 from last week:
Connections on ldapi:/// are plain text and ldap connections require TLS with client cert auth. I thought I could do that with:
# global configuration settings dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap34/slapd34.args olcPidFile: /var/run/openldap34/slapd34.pid olcLogFile: /var/log/openldap34/slapd34.log olcLogLevel: -1 olcTLSCACertificateFile: /etc/pki/tls/certs/ca.crt olcTLSCertificateFile: /etc/pki/tls/certs/server.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/server.key olcTLSCipherSuite: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH olcTLSVerifyClient: demand <--- olcLocalSSF: 0 <--- olcSecurity: tls=256 <---
Since I'm seeing the error below clearly I thought wrong:
5121a107 >>> slap_listener(ldapi:///) 5121a107 daemon: listen=11, new connection on 15 5121a107 daemon: added 15r (active) listener=(nil) 5121a107 conn=1009 fd=15 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi) [snip] 5121a107 conn=1009 op=0 BIND dn="cn=ReadOnly,dc=example,dc=com" method=128 5121a107 do_bind: version=3 dn="cn=ReadOnly,dc=example,dc=com" method=128 5121a107 send_ldap_result: conn=1009 op=0 p=3 5121a107 send_ldap_result: err=13 matched="" text="TLS confidentiality required" [snip] 5121a107 conn=1009 op=0 RESULT tag=97 err=13 text=TLS confidentiality required
Anyone have an idea how I can achieve my goal?
Thanks! Patrick