On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood < peterwood.sd@gmail.com> wrote:
Hi,
I setup openldap-2.4.23 server
Why? I'd suggest you start with the current release, 2.4.30. You may also want to look at <http://www.openldap.org/its/**index.cgi/?findid=7197http://www.openldap.org/its/index.cgi/?findid=7197
That's the openldap version in centos6.2 repo. In production I try to stick with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the same result.
I don't think StartTLS is enabled. I'm wondering if just setting olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile is enough to get StartTLS enabled.
It's very frustrating. I'd hate to go to ldaps just because I can't get StartTLS working.
Is there anything else I have to set on the server to get StartTLS working?
Thanks Peter
--On Tuesday, March 13, 2012 11:03 AM -0700 Peter Wood peterwood.sd@gmail.com wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood peterwood.sd@gmail.com wrote:
Hi,
I setup openldap-2.4.23 server
Why? I'd suggest you start with the current release, 2.4.30. You may also want to look at http://www.openldap.org/its/index.cgi/?findid=7197
That's the openldap version in centos6.2 repo. In production I try to stick with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the same result.
I don't think StartTLS is enabled. I'm wondering if just setting olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile is enough to get StartTLS enabled.
It's very frustrating. I'd hate to go to ldaps just because I can't get StartTLS working.
Is there anything else I have to set on the server to get StartTLS working?
How are you testing to see if it or is not working? Just run ldapsearch -x -ZZ -H ldap://<hostname>
to force startTLS
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 03/13/2012 12:03 PM, Peter Wood wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <quanah@zimbra.com mailto:quanah@zimbra.com> wrote:
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood <peterwood.sd@gmail.com <mailto:peterwood.sd@gmail.com>> wrote: Hi, I setup openldap-2.4.23 server Why? I'd suggest you start with the current release, 2.4.30. You may also want to look at <http://www.openldap.org/its/index.cgi/?findid=7197>That's the openldap version in centos6.2 repo. In production I try to stick with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the same result.
I don't think StartTLS is enabled. I'm wondering if just setting olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile is enough to get StartTLS enabled.
Yes, it is.
It's very frustrating. I'd hate to go to ldaps just because I can't get StartTLS working.
Is there anything else I have to set on the server to get StartTLS working?
Can you provide the exact command line you are using to test the server connection? Note that if the client is using regular LDAP and not LDAPS nor LDAP+startTLS, the olcTLSVerifyClient: demand setting does nothing.
If you are trying to make the client always use SASL/EXTERNAL auth with a valid client cert, you must first force the server to reject any non-TLS/SSL connection using the sasl-secprops minssf setting.
Thanks Peter
On Tue, Mar 13, 2012 at 11:30 AM, Rich Megginson rich.megginson@gmail.comwrote:
On 03/13/2012 12:03 PM, Peter Wood wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood < peterwood.sd@gmail.com> wrote:
Hi,
I setup openldap-2.4.23 server
Why? I'd suggest you start with the current release, 2.4.30. You may also want to look at http://www.openldap.org/its/index.cgi/?findid=7197
That's the openldap version in centos6.2 repo. In production I try to stick with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the same result.
I don't think StartTLS is enabled. I'm wondering if just setting olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile is enough to get StartTLS enabled.
Yes, it is.
It's very frustrating. I'd hate to go to ldaps just because I can't get StartTLS working.
Is there anything else I have to set on the server to get StartTLS working?
Can you provide the exact command line you are using to test the server connection? Note that if the client is using regular LDAP and not LDAPS nor LDAP+startTLS, the olcTLSVerifyClient: demand setting does nothing.
This is exactly what I'm seeing. I misunderstood the documentation. I thought that when olcTLSVerifyClient is set to demand then a valid certificate is required and the connection will drop if one is not provided.
If you are trying to make the client always use SASL/EXTERNAL auth with a valid client cert, you must first force the server to reject any non-TLS/SSL connection using the sasl-secprops minssf setting.
Yes. I'd like the server to reject any non-TLS/SSL connections. I'll look into the settings you mentioned.
As I was typing this I received a few more answers. Thank you very much.
Last question: If the FQN of the client is server1.mydomain.com and in the certificate the commonName is server1.mydomain.com but in openldap the DSE is "dc=hr,dc=mydomain,dc=com".
Will that work or the DSE has to match the domain name i.e. "dc=mydomain,dc=com"?
Thank you Peter
Peter Wood wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <quanah@zimbra.com mailto:quanah@zimbra.com> wrote:
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood <peterwood.sd@gmail.com <mailto:peterwood.sd@gmail.com>> wrote: Hi, I setup openldap-2.4.23 server Why? I'd suggest you start with the current release, 2.4.30. You may also want to look at <http://www.openldap.org/its/__index.cgi/?findid=7197 <http://www.openldap.org/its/index.cgi/?findid=7197>>That's the openldap version in centos6.2 repo. In production I try to stick with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the same result.
I don't think StartTLS is enabled. I'm wondering if just setting olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile is enough to get StartTLS enabled.
It's very frustrating. I'd hate to go to ldaps just because I can't get StartTLS working.
Is there anything else I have to set on the server to get StartTLS working?
No. StartTLS is an LDAP Request, the client has to ask for it. There is nothing a server can do to initiate it.
The TLSVerifyClient setting only affects sessions where the client has already initiated TLS. To force connections to require TLS, look at the olcRequires and olcSecurity settings in slapd-config(5).
On Tue, 13 Mar 2012, Peter Wood wrote:
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the same result.
olcTLSVerifyClient: <level> Specifies what checks to perform on client certificates in an incoming TLS session, if any. <...>
Note the "if any" part. That config option says, "If the client negotiates TLS, whether because it's connecting via an ldaps connection or used the StartTLS operation on an ldap connection, then this is the requirements regarding client certificates."
If the client connects via ldap (or ldapi) and doesn't use the StartTLS operation, then the olcTLSVerifyClient setting HAS NO EFFECT.
If you want the server to reject authentication requests that don't use TLS, then you need to look at the olcSecurity setting. To quote the manpage:
olcSecurity: <factors> Specify a set of security strength factors (separated by white space) to require (see olcSaslSecprops's minssf option for a description of security strength factors). The directive may be specified globally and/or per-database. ssf=<n> specifies the overall security strength factor. transport=<n> specifies the transport security strength factor. tls=<n> specifies the TLS security strength factor. sasl=<n> specifies the SASL security strength factor. update_ssf=<n> specifies the overall security strength factor to require for directory updates. update_transport=<n> specifies the transport security strength factor to require for directory updates. update_tls=<n> specifies the TLS security strength factor to require for directory updates. update_sasl=<n> specifies the SASL security strength factor to require for directory updates. simple_bind=<n> specifies the security strength factor required for simple username/password authentication. Note that the transport factor is measure of security provided by the underlying transport, e.g. ldapi:// (and eventually IPSEC). It is not normally used.
Philip Guenther
Is there anything else I have to set on the server to get StartTLS working?
Check "man ldapsearch" for -Z[Z] option.
If you want to enforce StartTLS, set appropriate SSF with olcSecurity:
$ ldapsearch -x -H ldap://server ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
$ ldapsearch -x -ZZ -H ldap://server ... # search result ...
openldap-technical@openldap.org
-
Howard Chu -
Jan Vcelak -
Peter Wood -
Philip Guenther -
Quanah Gibson-Mount -
Rich Megginson