On Fri, 22 Aug 2008, Ben Wailea, openldap-software wrote: ... > ldapadd & ldapsearch seem to work over TLS as well, > > ldapadd -ZZ -x -D "cn=admin,dc=domain,dc=com" -f > /etc/openldap/admin.ldif -w 'secret' ... > with slapd.log showing, > > Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 ACCEPT from > IP=192.168.1.17:34861 (IP=192.168.1.17:389) > Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 EXT > oid=1.3.6.1.4.1.1466.20037 > Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 STARTTLS > Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 RESULT oid= err=0 text= > Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 TLS established > tls_ssf=256 ssf=256 ...
Note the EXT/STARTTLS/TLS log messages there, showing that the client (ldapadd) actually used the STARTTLS operation. ... > but, on slapd service (re)start, i see in slapd.log, > > Aug 22 11:02:47 ldap slapd[31441]: slapd starting > Aug 22 11:02:48 ldap slapd[31441]: conn=0 fd=12 ACCEPT from > IP=192.168.1.17:42320 (IP=192.168.1.17:389) > Aug 22 11:02:48 ldap slapd[31441]: conn=0 op=0 BIND dn="" method=128 Note the *lack* of those EXT/STARTTLS/TLS messages. The client that made that connection didn't use the StartTls operation, so it wasn't using an encrypted connection so... > Aug 22 11:02:48 ldap slapd[31441]: conn=0 op=0 RESULT tag=97 err=13 > text=TLS confidentiality required ...the bind was in the clear, which your slapd configuration rejects. > what are these multiple connection "text=TLS confidentiality required" > errors due to? Those are clients that don't use StartTLS when your server config requires it. > i'm guessing it has to do with security restrictions set in slapd.conf. > > reading @ http://www.openldap.org/doc/admin24/security.html, i've, Hmm, I don't see these options on that web page. > ... > security ssf=256 tls=256 update_tls=256 simple_bind=256 That seems like an unusual and/or redundant set of requirements. If I'm reading things correctly, that line should have the exact same behavior as this one: security tls=256 I.e., refuse to do _anything_ unless TLS is negotiated with an SSF of at least 256 (i.e., 256 bit encryption cipher). Is that *really* the requirement you mean to enforce? > disallow tls_2_anon Hmm, why do you set that option? Do you know why the default isn't to do that? > require bind LDAPv3 I get the sense that you want to lock this server down by banning anything you aren't sure about. > are these settings correct, and/or are they resposible for those > slapd.log messages? something else? "Correct" depends on what you're trying to acheive. Yes, they're responsible: you told the server "require TLS!" so it's refusing the clients that don't use TLS. I'm surprised it's a question. Philip Guenther
