On Dec 21, 2012, at 10:00 AM, Wiebe Cazemier <[email protected]> wrote:
> Hi, > > I'm trying to get slapd to reject non-encrypted connections, but nowhere can > I find how you configure it to *only* accept TLS traffic. I just confirmed > that our server accepts unencrypted traffic (with ldapsearch and tcpdump). > Normally, I would just close the non-SSL port with IP tables, but using the > SSL port is deprecated, apparently, so I don't have that option. > > So, with the cn=config SSL configuration commands, like this: > > > dn: cn=config > changetype:modify > replace: olcTLSCertificateKeyFile > olcTLSCertificateKeyFile: /etc/ssl/bla.key > - > replace: olcTLSCertificateFile > olcTLSCertificateFile: /etc/ssl/bla.crt > - > replace: olcTLSCACertificateFile > olcTLSCACertificateFile: /etc/ssl/ca.pem > > > > Is there a param for forcing TLS? I tried: > > > dn: cn=config > changetype: modify > replace: olcTLSCipherSuite > olcTLSCipherSuite: TLSv1+RSA:!NULL > > > but it doesn't work; the server doesn't start. Debug output: > > > TLS: could not set cipher list TLSv1+RSA:!NULL. > main: TLS init def ctx failed: -1 > slapd destroy: freeing system resources. > slapd stopped. > connections_destroy: nothing to destroy. > > > Nor does "olcTLSCipherSuite: HIGH" work. > > I looked in the openldap source code, but even there, I can't find how to do > it. > > Slapd: 2.4.21-0ubuntu5.7 > Ubuntu: Ubuntu 10.04.4 LTS I added an olcSecurity attribute to the database directives for the parts of the server's DIT where I wish to require TLS. To start with I set the value "tls=1". See also: http://itsecureadmin.com/tag/openldap/ -- Chuck Lever chuck[dot]lever[at]oracle[dot]com
