Nope, olcSecurity didn't help. Still have the problem. I restared slapd. Please see below:
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1 olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write b y tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write by * none olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write by tls_ssf=128 ssf=128 * read olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write by tls_ssf=128 ssf=128 * read olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=com olcRootPW:: c2VjcmV0 olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: uid eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20120919180734Z entryCSN: 20120919181117.233986Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20120919181117Z
Thanks a lot!
Yan
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Thursday, September 20, 2012 7:50 AM To: Quanah Gibson-Mount Cc: Yan Gong; openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only?
Quanah Gibson-Mount wrote:
Should I use olcAccess or olcSecurity? or both? I couldn't find any detailed steps/documentation
olcSecurity would enforce encryption for any and all connections. Note that you have to restart slapd for it to take effect.
Eh, no. olcSecurity changes take effect immediately. No restart needed.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/