Hello,
I've configured openldap (v2.4.16 on FreeBSD 7.2) to listen on ldaps (with self signed certificate) as well as ldapi.
rc.cof: slapd_enable="YES" slapd_flags='-h "ldapi:///var/run/openldap/ldapi/ ldaps:///"' slapd_owner="ldap:ldap" slapd_sockets="/var/run/openldap/ldapi"
slapd.conf: database bdb suffix "dc=mydomain,dc=com" rootdn "cn=Manager,dc=mydomain,dc=com" rootpw password directory /var/db/openldap-data index objectClass eq
security ssf=128 TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key TLSVerifyClient never
Connecting to ldaps (port 636) with clients such as Thunderbird, Apache Directory Studio works fine. But when I try to connect via ldapi (port 389) from a webmail tool on the same server I always get the error "Confidentiality required" from openldap. I want to connect to ldapi (as it is local on the server) without TLS or other encryption but openldap doesn't seem to allow that in my configuration. I tried localSSF set to 0 which doesn't make any difference...
I'd be thankful for any advice with this issue.
Best regards, Gunnar
Gunnar Frenzel Gunnar_Frenzel@web.de writes:
Hello,
I've configured openldap (v2.4.16 on FreeBSD 7.2) to listen on ldaps (with self signed certificate) as well as ldapi.
[...]
security ssf=128
[...]
Connecting to ldaps (port 636) with clients such as Thunderbird, Apache Directory Studio works fine. But when I try to connect via ldapi (port 389) from a webmail tool on the same server I always get the error "Confidentiality required" from openldap. I want to connect to ldapi (as it is local on the server) without TLS or other encryption but openldap doesn't seem to allow that in my configuration. I tried localSSF set to 0 which doesn't make any difference...
The hard coded ssf for ldapi is 71, so you have to reduce security ssf.
-Dieter
"Dieter Kluenter" dieter@dkluenter.de writes:
Gunnar Frenzel Gunnar_Frenzel@web.de writes:
Hello,
I've configured openldap (v2.4.16 on FreeBSD 7.2) to listen on ldaps (with self signed certificate) as well as ldapi.
[...]
security ssf=128
[...]
Connecting to ldaps (port 636) with clients such as Thunderbird, Apache Directory Studio works fine. But when I try to connect via ldapi (port 389) from a webmail tool on the same server I always get the error "Confidentiality required" from openldap. I want to connect to ldapi (as it is local on the server) without TLS or other encryption but openldap doesn't seem to allow that in my configuration. I tried localSSF set to 0 which doesn't make any difference...
The hard coded ssf for ldapi is 71, so you have to reduce security ssf.
the default ssf for ldapi can be modified by adding localSSF <ssf> to slapd.conf(5).
-Dieter
Dieter Kluenter schrieb:
"Dieter Kluenter" dieter@dkluenter.de writes:
[...]
[...]
security ssf=128
[...] The hard coded ssf for ldapi is 71, so you have to reduce security ssf.
When I change security ssf=128 to a lower value then this affects not only ldapi but ldaps as well, right? I want to leave ldaps to require TLS but reduce security for ldapi only, so I could not achieve this by reducing security ssf?
the default ssf for ldapi can be modified by adding localSSF <ssf> to slapd.conf(5).
As I wrote I tried adding: localSSF 0 to slapd.conf but this didn't not change the behaviour at all. :(
Gunnar
Gunnar Frenzel Gunnar_Frenzel@web.de writes:
Dieter Kluenter schrieb:
"Dieter Kluenter" dieter@dkluenter.de writes:
[...]
[...]
security ssf=128
[...] The hard coded ssf for ldapi is 71, so you have to reduce security ssf.
When I change security ssf=128 to a lower value then this affects not only ldapi but ldaps as well, right? I want to leave ldaps to require TLS but reduce security for ldapi only, so I could not achieve this by reducing security ssf?
Actually, ldaps is tls, you can not connect to port 636 without proper TLS configuration on server on client side. In fact TLSCipherSuite MEDIUM defines 128 bit ciphers. man slapd.conf(5) offers a variety of ssf options, just an example:
security ssf=1 sasl=56 tls=128
thus the default ssf for ldapi is applied
the default ssf for ldapi can be modified by adding localSSF <ssf> to slapd.conf(5).
As I wrote I tried adding: localSSF 0 to slapd.conf but this didn't not change the behaviour at all. :(
localSSF 128 would overwrite the default value.
-Dieter
Hi,
thanks it's now (security ssf=1, without localSSF) working with ldapi connection without TLS.
Best regards, Gunnar
Dieter Kluenter wrote:
Gunnar FrenzelGunnar_Frenzel@web.de writes:
Hello,
I've configured openldap (v2.4.16 on FreeBSD 7.2) to listen on ldaps (with self signed certificate) as well as ldapi.
[...]
security ssf=128
[...]
Connecting to ldaps (port 636) with clients such as Thunderbird, Apache Directory Studio works fine. But when I try to connect via ldapi (port 389) from a webmail tool on the same server I always get the error "Confidentiality required" from openldap. I want to connect to ldapi (as it is local on the server) without TLS or other encryption but openldap doesn't seem to allow that in my configuration. I tried localSSF set to 0 which doesn't make any difference...
The hard coded ssf for ldapi is 71, so you have to reduce security ssf.
Or set "localSSF 128" to match the requirement...
openldap-technical@openldap.org
-
Dieter Kluenter -
Gunnar Frenzel -
Howard Chu