I'm setting up new LDAP servers with replication, and I configured TLS, but I see this in my log:
May 11 14:29:07 nyprldap1 slapd[8867]: conn=2572 op=1 BIND dn="cn=manager,dc=about,dc=com" method=128 May 11 14:29:07 nyprldap1 slapd[8867]: conn=2572 op=1 BIND dn="cn=manager,dc=about,dc=com" mech=SIMPLE ssf=0
Does this mean that TLS is failing and it is falling back to ssf=0? I think my master is configured to not allow unencrypted connections:
disallow bind_anon require bind security simple_bind=128
Albert Braden About.com Systems Operations 1500 Broadway 6th Floor New York, NY 10036 desk: 212-204-1448 | mobile: 917-480-1090 aim:albertatabout
--On Monday, May 11, 2015 3:32 PM +0000 Albert Braden abraden@about.com wrote:
I'm setting up new LDAP servers with replication, and I configured TLS, but I see this in my log:
May 11 14:29:07 nyprldap1 slapd[8867]: conn=2572 op=1 BIND dn="cn=manager,dc=about,dc=com" method=128
May 11 14:29:07 nyprldap1 slapd[8867]: conn=2572 op=1 BIND dn="cn=manager,dc=about,dc=com" mech=SIMPLE ssf=0
Does this mean that TLS is failing and it is falling back to ssf=0? I think my master is configured to not allow unencrypted connections:
You left out the lines before that from the log which clearly show it set TLS ;)
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Monday, May 11, 2015 3:49 PM To: Albert Braden; openldap-technical@openldap.org Subject: Re: TLS failing?
--On Monday, May 11, 2015 3:32 PM +0000 Albert Braden abraden@about.com wrote:
I'm setting up new LDAP servers with replication, and I configured TLS, but I see this in my log:
May 11 14:29:07 nyprldap1 slapd[8867]: conn=2572 op=1 BIND dn="cn=manager,dc=about,dc=com" method=128
May 11 14:29:07 nyprldap1 slapd[8867]: conn=2572 op=1 BIND dn="cn=manager,dc=about,dc=com" mech=SIMPLE ssf=0
Does this mean that TLS is failing and it is falling back to ssf=0? I think my master is configured to not allow unencrypted connections:
You left out the lines before that from the log which clearly show it set TLS ;)
--Quanah
Hi Quanah,
My concern is that it might be successfully negotiating TLS and then falling back to cleartext for some reason. I don't understand the significance of the "ssf=0" line.
--On Monday, May 11, 2015 10:31 PM +0000 Albert Braden abraden@about.com wrote:
Hi Quanah,
My concern is that it might be successfully negotiating TLS and then falling back to cleartext for some reason. I don't understand the significance of the "ssf=0" line.
It's hard coded:
/* log authorization identity */ Statslog( LDAP_DEBUG_STATS, "%s BIND dn="%s" mech=%s ssf=0\n", op->o_log_prefix, op->o_conn->c_dn.bv_val, op->orb_mech.bv_val, 0, 0 );
so what you care about is the preceding lines.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Monday, May 11, 2015 3:42 PM -0700 Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Monday, May 11, 2015 10:31 PM +0000 Albert Braden abraden@about.com wrote:
Hi Quanah,
My concern is that it might be successfully negotiating TLS and then falling back to cleartext for some reason. I don't understand the significance of the "ssf=0" line.
It's hard coded:
/* log authorization identity */ Statslog( LDAP_DEBUG_STATS, "%s BIND dn=\"%s\" mech=%s ssf=0\n", op->o_log_prefix, op->o_conn->c_dn.bv_val, op->orb_mech.bv_val, 0, 0 );so what you care about is the preceding lines.
See also http://www.openldap.org/its/index.cgi/?findid=8140
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Albert Braden -
Quanah Gibson-Mount