Greetings.
I would have thought (possibly naively) that StartTLS was unnecessary when connecting to slapd through a unix socket -- the client and the server are on the same machine, and so don't need to be reassured about each other's identity. However this seems not to be be the case:
% ldapsearch -LLL -H ldapi://%2Fvar%2Frun%2Fopenldap%2Fldapi '(uid=foo)' ldap_sasl_interactive_bind_s: Confidentiality required (13) additional info: stronger confidentiality required
(same result with ldapi:///).
What am I misunderstanding?
In the slapd.ldif I have:
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid olcSecurity: ssf=128 olcTLSCertificateFile: /usr/local/etc/openldap/certs/XXX.crt olcTLSCertificateKeyFile: /usr/local/etc/openldap/certs/XXX.key olcTLSCACertificateFile: /usr/local/etc/openldap/certs/FOO olcLogLevel: 0
The machine is also listening on ldap://0.0.0.0 and requiring TLS. I don't see anything in the documentation which seems to suggest I can have different TLS rules on different interfaces or protocols (ie, ldap: vs ldapi:) -- am I just missing that?
The /usr/local/etc/ldap.conf doesn't mention TLS, so the TLS requirement isn't coming in from there.
My practical problem is that I'm trying to get nslcd (on the same machine) to talk to OpenLDAP locally. If there's a certificate problem I can sort that out, but I can't help feeling that that ought to be unnecessary -- that I'm missing something simple.
This is 2.4.45 on FreeBSD.
Best wishes,
Norman
On 2018-07-12 06:52, Norman Gray wrote:
What am I misunderstanding?
In the slapd.ldif I have:
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid olcSecurity: ssf=128 olcTLSCertificateFile: /usr/local/etc/openldap/certs/XXX.crt olcTLSCertificateKeyFile: /usr/local/etc/openldap/certs/XXX.key olcTLSCACertificateFile: /usr/local/etc/openldap/certs/FOO olcLogLevel: 0
Have a look at 'olcLocalSSF' in slapd-config(5), which lets you set the security strength factor for local (i.e. ldapi://) sessions. It defaults to 71, which is likely why you're seeing that error message. Personally, I bump it up to 256, to match the ssf=256 I have set in the olcSecurity attribute on cn=config.
Michael and Richard, hello.
On 16 Jul 2018, at 5:09, Richard Gray wrote:
Have a look at 'olcLocalSSF' in slapd-config(5), which lets you set the security strength factor for local (i.e. ldapi://) sessions. It defaults to 71, which is likely why you're seeing that error message. Personally, I bump it up to 256, to match the ssf=256 I have set in the olcSecurity attribute on cn=config.
Many thanks for this advice -- it works perfectly. I've set olcLocalSSF to 256.
Hmm: 71 is an oddly-chosen default. Is there a story there, I wonder?
(Apologies, also, for taking so long to respond: this project had swapped right out of my head, and it was only a couple of days ago that it was able to page back in).
Best wishes,
Norman
On 07/11/2018 08:52 PM, Norman Gray wrote:
I would have thought (possibly naively) that StartTLS was unnecessary when connecting to slapd through a unix socket -- the client and the server are on the same machine, and so don't need to be reassured about each other's identity.
Yes.
However this seems not to be be the case:
% ldapsearch -LLL -H ldapi://%2Fvar%2Frun%2Fopenldap%2Fldapi '(uid=foo)' ldap_sasl_interactive_bind_s: Confidentiality required (13) additional info: stronger confidentiality required
You want to set localSSF in your config to match the minimum SSF you've configured (the default is 71).
'localSSF' is old slapd.conf name and 'olcLocalSSF' the accompanying LDAP attribute in cn=config.
dn: cn=config [..] olcSecurity: ssf=128
So add to cn=config:
olcLocalSSF: 128
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Norman Gray -
Richard Gray