11:03 a.m.
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood <
peterwood.sd(a)gmail.com> wrote:
Hi,
>
>
> I setup openldap-2.4.23 server
>
Why? I'd suggest you start with the current release, 2.4.30. You may
also want to look at
<http://www.openldap.org/its/**index.cgi/?findid=7197<http://www.openld...
>
That's the openldap version in centos6.2 repo. In production I try to stick
with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with
the same result.
I don't think StartTLS is enabled. I'm wondering if just setting
olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile
is enough to get StartTLS enabled.
It's very frustrating. I'd hate to go to ldaps just because I can't get
StartTLS working.
Is there anything else I have to set on the server to get StartTLS working?
Thanks
Peter
11:09 a.m.
New subject: olcTLSVerifyClient: demand not taking effect
--On Tuesday, March 13, 2012 11:03 AM -0700 Peter Wood
<peterwood.sd(a)gmail.com> wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
wrote:
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood
<peterwood.sd(a)gmail.com> wrote:
Hi,
I setup openldap-2.4.23 server
Why? I'd suggest you start with the current release, 2.4.30. You may
also want to look at <http://www.openldap.org/its/index.cgi/?findid=7197>
That's the openldap version in centos6.2 repo. In production I try to
stick with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true]
with the same result.
I don't think StartTLS is enabled. I'm wondering if just
setting olcTLSCACertificateFile, olcTLSCertificateFile
and olcTLSCertificateKeyFile is enough to get StartTLS enabled.
It's very frustrating. I'd hate to go to ldaps just because I can't get
StartTLS working.
Is there anything else I have to set on the server to get StartTLS
working?
How are you testing to see if it or is not working? Just run ldapsearch -x
-ZZ -H ldap://<hostname>
to force startTLS
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11:30 a.m.
New subject: olcTLSVerifyClient: demand not taking effect
On 03/13/2012 12:03 PM, Peter Wood wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount
<quanah(a)zimbra.com <mailto:quanah@zimbra.com>> wrote:
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood
<peterwood.sd(a)gmail.com <mailto:peterwood.sd@gmail.com>> wrote:
Hi,
I setup openldap-2.4.23 server
Why? I'd suggest you start with the current release, 2.4.30. You
may also want to look at
<http://www.openldap.org/its/index.cgi/?findid=7197>
That's the openldap version in centos6.2 repo. In production I try to
stick with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true]
with the same result.
I don't think StartTLS is enabled. I'm wondering if just setting
olcTLSCACertificateFile, olcTLSCertificateFile and
olcTLSCertificateKeyFile is enough to get StartTLS enabled.
Yes, it is.
It's very frustrating. I'd hate to go to ldaps just because I can't
get StartTLS working.
Is there anything else I have to set on the server to get StartTLS
working?
Can you provide the exact command line you are using to test the server
connection? Note that if the client is using regular LDAP and not LDAPS
nor LDAP+startTLS, the olcTLSVerifyClient: demand setting does nothing.
If you are trying to make the client always use SASL/EXTERNAL auth with
a valid client cert, you must first force the server to reject any
non-TLS/SSL connection using the sasl-secprops minssf setting.
Thanks
Peter
11:56 a.m.
New subject: olcTLSVerifyClient: demand not taking effect
On Tue, Mar 13, 2012 at 11:30 AM, Rich Megginson
<rich.megginson(a)gmail.com>wrote:
On 03/13/2012 12:03 PM, Peter Wood wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Monday, March 12, 2012 6:52 PM -0700 Peter Wood <
> peterwood.sd(a)gmail.com> wrote:
>
> Hi,
>>
>>
>> I setup openldap-2.4.23 server
>>
>
> Why? I'd suggest you start with the current release, 2.4.30. You may
> also want to look at <http://www.openldap.org/its/index.cgi/?findid=7197>
>
>
That's the openldap version in centos6.2 repo. In production I try to
stick with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true]
with the same result.
I don't think StartTLS is enabled. I'm wondering if just setting
olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile
is enough to get StartTLS enabled.
Yes, it is.
It's very frustrating. I'd hate to go to ldaps just because I can't get
StartTLS working.
Is there anything else I have to set on the server to get StartTLS
working?
Can you provide the exact command line you are using to test the server
connection? Note that if the client is using regular LDAP and not LDAPS
nor LDAP+startTLS, the olcTLSVerifyClient: demand setting does nothing.
This is exactly what I'm seeing. I misunderstood the documentation. I
thought that when olcTLSVerifyClient is set to demand then a valid
certificate is required and the connection will drop if one is not provided.
If you are trying to make the client always use SASL/EXTERNAL auth with a
valid client cert, you must first force the server to reject any
non-TLS/SSL connection using the sasl-secprops minssf setting.
Yes. I'd like the server to reject any non-TLS/SSL connections. I'll look
into the settings you mentioned.
As I was typing this I received a few more answers. Thank you very much.
Last question:
If the FQN of the client is server1.mydomain.com and in the certificate
the commonName is server1.mydomain.com but
in openldap the DSE is "dc=hr,dc=mydomain,dc=com".
Will that work or the DSE has to match the domain name i.e.
"dc=mydomain,dc=com"?
Thank you
Peter
11:45 a.m.
New subject: olcTLSVerifyClient: demand not taking effect
Peter Wood wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <quanah(a)zimbra.com
<mailto:quanah@zimbra.com>> wrote:
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood
<peterwood.sd(a)gmail.com <mailto:peterwood.sd@gmail.com>> wrote:
Hi,
I setup openldap-2.4.23 server
Why? I'd suggest you start with the current release, 2.4.30. You may
also want to look at <http://www.openldap.org/its/__index.cgi/?findid=7197
<http://www.openldap.org/its/index.cgi/?findid=7197>>
That's the openldap version in centos6.2 repo. In production I try to stick
with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the
same result.
I don't think StartTLS is enabled. I'm wondering if just setting
olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile is
enough to get StartTLS enabled.
It's very frustrating. I'd hate to go to ldaps just because I can't get
StartTLS working.
Is there anything else I have to set on the server to get StartTLS working?
No. StartTLS is an LDAP Request, the client has to ask for it. There is
nothing a server can do to initiate it.
The TLSVerifyClient setting only affects sessions where the client has already
initiated TLS. To force connections to require TLS, look at the olcRequires
and olcSecurity settings in slapd-config(5).
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:46 a.m.
New subject: olcTLSVerifyClient: demand not taking effect
On Tue, 13 Mar 2012, Peter Wood wrote:
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true]
with
the same result.
olcTLSVerifyClient: <level>
Specifies what checks to perform on client certificates in an
incoming TLS session, if any. <...>
Note the "if any" part. That config option says, "If the client
negotiates TLS, whether because it's connecting via an ldaps connection or
used the StartTLS operation on an ldap connection, then this is the
requirements regarding client certificates."
If the client connects via ldap (or ldapi) and doesn't use the StartTLS
operation, then the olcTLSVerifyClient setting HAS NO EFFECT.
If you want the server to reject authentication requests that don't use
TLS, then you need to look at the olcSecurity setting. To quote the
manpage:
olcSecurity: <factors>
Specify a set of security strength factors (separated by white
space) to require (see olcSaslSecprops's minssf option for a
description of security strength factors). The directive may be
specified globally and/or per-database. ssf=<n> specifies the
overall security strength factor. transport=<n> specifies the
transport security strength factor. tls=<n> specifies the TLS
security strength factor. sasl=<n> specifies the SASL security
strength factor. update_ssf=<n> specifies the overall security
strength factor to require for directory updates.
update_transport=<n> specifies the transport security strength
factor to require for directory updates. update_tls=<n>
specifies the TLS security strength factor to require for
directory updates. update_sasl=<n> specifies the SASL security
strength factor to require for directory updates.
simple_bind=<n> specifies the security strength factor required
for simple username/password authentication. Note that the
transport factor is measure of security provided by the
underlying transport, e.g. ldapi:// (and eventually IPSEC). It
is not normally used.
Philip Guenther
11:53 a.m.
New subject: olcTLSVerifyClient: demand not taking effect
Is there anything else I have to set on the server to get StartTLS
working?
Check "man ldapsearch" for -Z[Z] option.
If you want to enforce StartTLS, set appropriate SSF with olcSecurity:
$ ldapsearch -x -H ldap://server
ldap_bind: Confidentiality required (13)
additional info: TLS confidentiality required
$ ldapsearch -x -ZZ -H ldap://server
...
# search result
...
4280
days inactive
4280
days old
openldap-technical@openldap.org
6 comments
6 participants
participants (6)
-
Howard Chu -
Jan Vcelak -
Peter Wood -
Philip Guenther -
Quanah Gibson-Mount -
Rich Megginson