On Mon, Nov 30, 2020 at 9:09 AM Ryan Tandy ryan@nardis.ca wrote:
The openldap packages in Ubuntu use GnuTLS as the TLS library, not OpenSSL. Therefore the value of olcTLSCipherSuite has to be a GnuTLS priority string, not an OpenSSL cipher list.
Confirmed. This was indeed the problem. Thank you!
On Mon, Nov 30, 2020 at 9:09 AM Ryan Tandy ryan@nardis.ca wrote:
On Fri, Nov 27, 2020 at 01:58:36PM -0800, Benjamin Schneider wrote:
Hi all, I'm running version 2.4.49 on Ubuntu 20.04. I've been unable to add the olcTLSCipherSuite configuration attribute.
# ldapmodify -H ldapi:// -Y EXTERNAL -f set-ciphersuite.ldif
returns:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
set-ciphersuite.ldif contains the following:
dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: ALL
The openldap packages in Ubuntu use GnuTLS as the TLS library, not OpenSSL. Therefore the value of olcTLSCipherSuite has to be a GnuTLS priority string, not an OpenSSL cipher list.
https://gnutls.org/manual/html_node/Priority-Strings.html
You might also be interested in olcTLSProtocolMin.