https://bugs.openldap.org/show_bug.cgi?id=9698
Issue ID: 9698
Summary: per database olcSecurity: tls=0 does not override
olcSecurity: tls=1 from the frontend
Product: OpenLDAP
Version: 2.5.7
Hardware: All
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
I have these databases:
cn=config
frontend,cn=config
mdb/suffix o=A,cn=config
mdb/suffix o=B,cn=confix
slapd listens on port 389.
I want to make sure, that
• all requests to suffix o=A are served after STARTTLS, as these come from the
wild internet.
• all requests to suffix o=B do not have to utilize STARTTLS (ldaps), as these
are local to the machine, and
• if a request to the root DSE is made, without using STARTTLS, the client
shall gets “ldap_bind: Confidentiality required (13) additional info: TLS
confidentiality required”.
To enforce STARTTLS for suffix o=A I put there `olcSecurity: tls=1`.
If I set
dn: olcDatabase=frontend,cn=config
olcAccess: to dn="" by tls_ssf=256 * read
and the rootDSE is requested without STARTTLS, the result is just empty, rather
than “ldap_bind: Confidentiality required (13) additional info: TLS
confidentiality required”.
To get the “confidentiality required” for the root DSE I have to put
dn: olcDatabase=frontend,cn=config
olcSecurity: tls=1
or
dn: cn=config
olcSecurity: tls=1
It was unclear to me which one shall I use, but both serve the same purpose.
Now, I want to enable no-STARTTLS to suffix o=B. I put there “olcSecurity:
tls=0”. Irrespective, if only cn=config, or only
olcDatabase=frontend,cn=config contain “olcSecurity: tls=1” the “olcSecurity:
tls=0” in suffix o=B is not enacted.
--
You are receiving this mail because:
You are on the CC list for the issue.
