Nope, olcSecurity didn't help. Still have the problem. I restared slapd. Please see below:
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1 olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write b y tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write by * none olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write by tls_ssf=128 ssf=128 * read olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write by tls_ssf=128 ssf=128 * read olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=com olcRootPW:: c2VjcmV0 olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: uid eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20120919180734Z entryCSN: 20120919181117.233986Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20120919181117Z
Thanks a lot!
Yan
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Thursday, September 20, 2012 7:50 AM To: Quanah Gibson-Mount Cc: Yan Gong; openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only?
Quanah Gibson-Mount wrote:
Should I use olcAccess or olcSecurity? or both? I couldn't find any detailed steps/documentation
olcSecurity would enforce encryption for any and all connections. Note that you have to restart slapd for it to take effect.
Eh, no. olcSecurity changes take effect immediately. No restart needed.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Sep 20, 2012, at 5:05 AM, Yan Gong wrote:
Nope, olcSecurity didn't help. Still have the problem. I restared slapd. Please see below:
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1
I believe you're looking for:
olcSecurity: minssf=128
HTH, Josh
Josh:
Thanks for the info!
Did some more test. Does this mean the olcSecurity setting for TLS works now?
If I try to connect to the ldap server without TLS and unencrypted connection, I got the following error:
root@ldap02:/etc/ldap# ldapsearch -x -D "cn=admin,dc=example,dc=com" -W Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
If I use the CA certificate and TLS connection, I can successfully connect with LDAP server:
root@ldap02:/etc/ldap# ldapsearch -Z -D "cn=admin,dc=example,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# example.com dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Example Organization dc: Example description:: TERBUCBFeGFtcGxlIA==
# admin, example.com dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: c2VjcmV0
# people, example.com dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people
# groups, example.com dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups
# john, people, example.com dn: uid=john,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword:: cGFzc3dvcmQ= gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: john.doe@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: JD
# example, groups, example.com dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000
# search result search: 3 result: 0 Success
# numResponses: 7 # numEntries: 6 root@ldap02:/etc/ldap#
Thanks a lot!
Yan
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Yan Gong Sent: Thursday, September 20, 2012 8:06 AM To: 'Howard Chu'; 'Quanah Gibson-Mount' Cc: openldap-technical@openldap.org Subject: RE: How enforce TLS connection to openldap server only?
Nope, olcSecurity didn't help. Still have the problem. I restared slapd. Please see below:
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1 olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write b y tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write by * none olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write by tls_ssf=128 ssf=128 * read olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write by tls_ssf=128 ssf=128 * read olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=com olcRootPW:: c2VjcmV0 olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: uid eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20120919180734Z entryCSN: 20120919181117.233986Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20120919181117Z
Thanks a lot!
Yan
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Thursday, September 20, 2012 7:50 AM To: Quanah Gibson-Mount Cc: Yan Gong; openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only?
Quanah Gibson-Mount wrote:
Should I use olcAccess or olcSecurity? or both? I couldn't find any detailed steps/documentation
olcSecurity would enforce encryption for any and all connections. Note that you have to restart slapd for it to take effect.
Eh, no. olcSecurity changes take effect immediately. No restart needed.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Thanks a lot!
Yan Gong System Administrator 770-792-8590 ext. 1248
-----Original Message----- From: Josh Miller [mailto:joshua@itsecureadmin.com] Sent: Thursday, September 20, 2012 10:58 AM To: Yan Gong Cc: openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only?
On Sep 20, 2012, at 5:05 AM, Yan Gong wrote:
Nope, olcSecurity didn't help. Still have the problem. I restared slapd. Please see below:
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1
I believe you're looking for:
olcSecurity: minssf=128
HTH, Josh
On Sep 20, 2012, at 8:01 AM, Yan Gong wrote:
Josh:
Thanks for the info!
Did some more test. Does this mean the olcSecurity setting for TLS works now?
Yes, this will require the use of encryption.
The OL docs recommend a minssf of 256 (and that is what I use):
"0 (zero) implies no protection, 1 implies integrity protection only, 56 DES or other weak ciphers, 112 triple DES and other strong ciphers, 128 RC4, Blowfish and other modern strong ciphers.
Other possibilities:
transport_ssf=<n> tls_ssf=<n> sasl_ssf=<n>
256 is recommended."
re: http://www.openldap.org/doc/admin24/access-control.html#Granting%20and%20Den...
Thanks, Josh
If I try to connect to the ldap server without TLS and unencrypted connection, I got the following error:
root@ldap02:/etc/ldap# ldapsearch -x -D "cn=admin,dc=example,dc=com" -W Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
If I use the CA certificate and TLS connection, I can successfully connect with LDAP server:
root@ldap02:/etc/ldap# ldapsearch -Z -D "cn=admin,dc=example,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# example.com dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Example Organization dc: Example description:: TERBUCBFeGFtcGxlIA==
# admin, example.com dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: c2VjcmV0
# people, example.com dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people
# groups, example.com dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups
# john, people, example.com dn: uid=john,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword:: cGFzc3dvcmQ= gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: john.doe@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: JD
# example, groups, example.com dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000
# search result search: 3 result: 0 Success
# numResponses: 7 # numEntries: 6 root@ldap02:/etc/ldap#
Thanks a lot!
Yan
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Yan Gong Sent: Thursday, September 20, 2012 8:06 AM To: 'Howard Chu'; 'Quanah Gibson-Mount' Cc: openldap-technical@openldap.org Subject: RE: How enforce TLS connection to openldap server only?
Nope, olcSecurity didn't help. Still have the problem. I restared slapd. Please see below:
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1 olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write b y tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write by
- none
olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write by tls_ssf=128 ssf=128 * read olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write by tls_ssf=128 ssf=128 * read olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=com olcRootPW:: c2VjcmV0 olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: uid eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20120919180734Z entryCSN: 20120919181117.233986Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20120919181117Z
Thanks a lot!
Yan
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Thursday, September 20, 2012 7:50 AM To: Quanah Gibson-Mount Cc: Yan Gong; openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only?
Quanah Gibson-Mount wrote:
Should I use olcAccess or olcSecurity? or both? I couldn't find any detailed steps/documentation
olcSecurity would enforce encryption for any and all connections. Note that you have to restart slapd for it to take effect.
Eh, no. olcSecurity changes take effect immediately. No restart needed.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Thanks a lot!
Yan Gong System Administrator 770-792-8590 ext. 1248
-----Original Message----- From: Josh Miller [mailto:joshua@itsecureadmin.com] Sent: Thursday, September 20, 2012 10:58 AM To: Yan Gong Cc: openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only?
On Sep 20, 2012, at 5:05 AM, Yan Gong wrote:
Nope, olcSecurity didn't help. Still have the problem. I restared slapd. Please see below:
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1
I believe you're looking for:
olcSecurity: minssf=128
HTH, Josh
Am 20.09.2012 17:01, schrieb Yan Gong:
Josh:
Thanks for the info!
Did some more test. Does this mean the olcSecurity setting for TLS works now?
If I try to connect to the ldap server without TLS and unencrypted connection, I got the following error:
root@ldap02:/etc/ldap# ldapsearch -x -D "cn=admin,dc=example,dc=com" -W Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
Following this thread, it seems to me that this is exactly what you wanted.
Cheers,
Peter
If I use the CA certificate and TLS connection, I can successfully connect with LDAP server:
root@ldap02:/etc/ldap# ldapsearch -Z -D "cn=admin,dc=example,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# example.com dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Example Organization dc: Example description:: TERBUCBFeGFtcGxlIA==
# admin, example.com dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: c2VjcmV0
# people, example.com dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people
# groups, example.com dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups
# john, people, example.com dn: uid=john,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword:: cGFzc3dvcmQ= gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: john.doe@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: JD
# example, groups, example.com dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000
# search result search: 3 result: 0 Success
# numResponses: 7 # numEntries: 6 root@ldap02:/etc/ldap#
Thanks a lot!
Yan
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Yan Gong Sent: Thursday, September 20, 2012 8:06 AM To: 'Howard Chu'; 'Quanah Gibson-Mount' Cc: openldap-technical@openldap.org Subject: RE: How enforce TLS connection to openldap server only?
Nope, olcSecurity didn't help. Still have the problem. I restared slapd. Please see below:
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1 olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write b y tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write by
- none
olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write by tls_ssf=128 ssf=128 * read olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write by tls_ssf=128 ssf=128 * read olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=com olcRootPW:: c2VjcmV0 olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: uid eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20120919180734Z entryCSN: 20120919181117.233986Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20120919181117Z
Thanks a lot!
Yan
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Thursday, September 20, 2012 7:50 AM To: Quanah Gibson-Mount Cc: Yan Gong; openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only?
Quanah Gibson-Mount wrote:
Should I use olcAccess or olcSecurity? or both? I couldn't find any detailed steps/documentation
olcSecurity would enforce encryption for any and all connections. Note that you have to restart slapd for it to take effect.
Eh, no. olcSecurity changes take effect immediately. No restart needed.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Thanks a lot!
Yan Gong System Administrator 770-792-8590 ext. 1248
-----Original Message----- From: Josh Miller [mailto:joshua@itsecureadmin.com] Sent: Thursday, September 20, 2012 10:58 AM To: Yan Gong Cc: openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only?
On Sep 20, 2012, at 5:05 AM, Yan Gong wrote:
Nope, olcSecurity didn't help. Still have the problem. I restared slapd. Please see below:
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1
I believe you're looking for:
olcSecurity: minssf=128
HTH, Josh
Peter:
Thanks for the confirmation! I only used olcSecurity, not olcAccess to enforce the TLS connection. Man, I wish there is more detailed, updated and user-friendly information about OpenLdap on the web. I guess, that's why people are turning to Active Directory because it is much easier to use.
Yan
-----Original Message----- From: Peter Gietz [mailto:peter.gietz@daasi.de] Sent: Thursday, September 20, 2012 11:47 AM To: Yan Gong Cc: 'Josh Miller'; openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only?
Am 20.09.2012 17:01, schrieb Yan Gong:
Josh:
Thanks for the info!
Did some more test. Does this mean the olcSecurity setting for TLS works now?
If I try to connect to the ldap server without TLS and unencrypted connection, I got the following error:
root@ldap02:/etc/ldap# ldapsearch -x -D "cn=admin,dc=example,dc=com" -W Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
Following this thread, it seems to me that this is exactly what you wanted.
Cheers,
Peter
If I use the CA certificate and TLS connection, I can successfully connect with LDAP server:
root@ldap02:/etc/ldap# ldapsearch -Z -D "cn=admin,dc=example,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# example.com dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Example Organization dc: Example description:: TERBUCBFeGFtcGxlIA==
# admin, example.com dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: c2VjcmV0
# people, example.com dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people
# groups, example.com dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups
# john, people, example.com dn: uid=john,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword:: cGFzc3dvcmQ= gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: john.doe@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: JD
# example, groups, example.com dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000
# search result search: 3 result: 0 Success
# numResponses: 7 # numEntries: 6 root@ldap02:/etc/ldap#
Thanks a lot!
Yan
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Yan Gong Sent: Thursday, September 20, 2012 8:06 AM To: 'Howard Chu'; 'Quanah Gibson-Mount' Cc: openldap-technical@openldap.org Subject: RE: How enforce TLS connection to openldap server only?
Nope, olcSecurity didn't help. Still have the problem. I restared slapd. Please see below:
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1 olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write b y tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write by
- none
olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write by tls_ssf=128 ssf=128 * read olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read olcAccess: {3}to * by tls_ssf=128 ssf=128
dn="cn=admin,dc=example,dc=com"
write by tls_ssf=128 ssf=128 * read olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=com olcRootPW:: c2VjcmV0 olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: uid eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20120919180734Z entryCSN: 20120919181117.233986Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20120919181117Z
Thanks a lot!
Yan
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Thursday, September 20, 2012 7:50 AM To: Quanah Gibson-Mount Cc: Yan Gong; openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only?
Quanah Gibson-Mount wrote:
Should I use olcAccess or olcSecurity? or both? I couldn't find any detailed steps/documentation
olcSecurity would enforce encryption for any and all connections. Note that you have to restart slapd for it to take effect.
Eh, no. olcSecurity changes take effect immediately. No restart needed.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Thanks a lot!
Yan Gong System Administrator 770-792-8590 ext. 1248
-----Original Message----- From: Josh Miller [mailto:joshua@itsecureadmin.com] Sent: Thursday, September 20, 2012 10:58 AM To: Yan Gong Cc: openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only?
On Sep 20, 2012, at 5:05 AM, Yan Gong wrote:
Nope, olcSecurity didn't help. Still have the problem. I restared
slapd.
Please see below:
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1
I believe you're looking for:
olcSecurity: minssf=128
HTH, Josh
-- _______________________________________________________________________
Peter Gietz (CEO) DAASI International GmbH phone: +49 7071 407109-0 Europaplatz 3 Fax: +49 7071 407109-9 D-72072 Tübingen mail: peter.gietz@daasi.de Germany Web: www.daasi.de
DAASI International GmbH, Tübingen Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175 _______________________________________________________________________
Le 20/09/2012 18:02, Yan Gong a écrit :
Peter:
Thanks for the confirmation! I only used olcSecurity, not olcAccess to enforce the TLS connection. Man, I wish there is more detailed, updated and user-friendly information about OpenLdap on the web.
I think the openldap admin guide is open to contributions...
openldap-technical@openldap.org
-
Guillaume Rousse -
Josh Miller -
Peter Gietz -
Yan Gong