Hi all - As part of routine security remediation my company asked me to remove the support for older TLS versions from my LDAP server. To this effect I restarted the service after running the following:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -a -f olcTLSProtocolMin.ldif Here is the content of olcTLSProtocolMin.ldif dn: cn=config changetype: modify add: olcTLSProtocolMin olcTLSProtocolMin: 3.3 When I look at the /etc/ldap/slapd.d/cn=config.ldif file I can see the olcTLSProtocolMin: 3.3 entry. however, when I scan the LDAP server using Nessus, the scanner reports older versions of TLS still available. Also if I scan the supported TLS version using nmap it also reports TLS1.0-TLS1.2 If it helps here is the cn=config.ldif file is here dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: stats sync olcPidFile: /var/run/slapd/slapd.pid olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/my_cert.pem olcTLSCertificateKeyFile: /etc/ssl/private/my_slapd_key.pem olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: SomeUUID creatorsName: cn=config createTimestamp: 20160311213839Z olcTLSProtocolMin: 3.3 entryCSN: 20220601202658.429433Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber Any help will be greatly appreciated. JRosario
