On Mon, Nov 30, 2020 at 9:09 AM Ryan Tandy <ryan(a)nardis.ca> wrote:
The openldap packages in Ubuntu use GnuTLS as the TLS library, not
OpenSSL. Therefore the value of olcTLSCipherSuite has to be a GnuTLS
priority string, not an OpenSSL cipher list.
Confirmed. This was indeed the problem. Thank you!
On Mon, Nov 30, 2020 at 9:09 AM Ryan Tandy <ryan(a)nardis.ca> wrote:
>
> On Fri, Nov 27, 2020 at 01:58:36PM -0800, Benjamin Schneider wrote:
> >Hi all, I'm running version 2.4.49 on Ubuntu 20.04. I've been unable to
add
> >the olcTLSCipherSuite configuration attribute.
> >
> ># ldapmodify -H ldapi:// -Y EXTERNAL -f set-ciphersuite.ldif
> >
> >returns:
> >
> >SASL/EXTERNAL authentication started
> >SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> >SASL SSF: 0
> >modifying entry "cn=config"
> >ldap_modify: Other (e.g., implementation specific) error (80)
> >
> >set-ciphersuite.ldif contains the following:
> >
> >dn: cn=config
> >changetype: modify
> >add: olcTLSCipherSuite
> >olcTLSCipherSuite: ALL
>
The openldap packages in Ubuntu use GnuTLS as the TLS library, not
OpenSSL. Therefore the value of olcTLSCipherSuite has to be a GnuTLS
priority string, not an OpenSSL cipher list.
>
>
https://gnutls.org/manual/html_node/Priority-Strings.html
>
> You might also be interested in olcTLSProtocolMin.