On Tue, 26 Aug 2014, Tom wrote:
I'm running OpenLDAP 2.4 on CentOS. I'm trying to set it up
can use the ldapi:/// socket without TLS, but any clients using ldap://
must use TLS.
I believe that the relevant olc variables are olcLocalSSF and
olcSecurity. I can't get it to work - either TLS is required no matter
which URI I use, or clients can connect without TLS at all.
According to the docs, if I set olcLocalSSF to 128, and olcSecurity to
ssf=128, it should work, but it's not. I can only connect without TLS if I
delete the olcSecurity attribute, which allows anyone to connect
Has anyone else seen this behaviour?
A 60 second test on an old dev box I had lying around with 2.4.35 using
found it works Just Fine there: searches with
-H ldap:// -ZZ
work, while searches with
ldap_bind: Confidentiality required (13)
additional info: confidentiality required
So, maybe use 'config' logging to verify your bits are being processed
correctly and if so, provide _complete_ information with a dump of your
cn=config (passwords stripped), the logging, and your test cases