Discussion:
ldapi:/// without TLS; ldap:// with TLS?
(too old to reply)
Tom
2014-08-19 00:06:01 UTC
Permalink
I'm running OpenLDAP 2.4 on CentOS. I'm trying to set it up so clients
can use the ldapi:/// socket without TLS, but any clients using ldap://
must use TLS.

I believe that the relevant olc variables are olcLocalSSF and
olcSecurity. I can't get it to work - either TLS is required no matter
which URI I use, or clients can connect without TLS at all.

According to the docs, if I set olcLocalSSF to 128, and olcSecurity to
ssf=128, it should work, but it's not. I can only connect without TLS if
I delete the olcSecurity attribute, which allows anyone to connect
without TLS. What am I dong wrong?
Tom
2014-08-22 12:22:51 UTC
Permalink
I'm running OpenLDAP 2.4 on CentOS 6.5. I'm trying to set it up so
clients can use the ldapi:/// socket without TLS, but any clients using
ldap:// must use TLS.

I believe that the relevant olc variables are olcLocalSSF and
olcSecurity. I can't get it to work - either TLS is required no matter
which URI I use, or clients can connect without TLS at all.

According to the docs, if I set olcLocalSSF to 128, and olcSecurity to
ssf=128, it should work, but it's not. I can only connect without TLS if
I delete the olcSecurity attribute, which allows anyone to connect
without TLS. What am I dong wrong?
Tom
2014-08-26 13:15:28 UTC
Permalink
I'm running OpenLDAP 2.4 on CentOS. I'm trying to set it up so clients
can use the ldapi:/// socket without TLS, but any clients using ldap://
must use TLS.

I believe that the relevant olc variables are olcLocalSSF and
olcSecurity. I can't get it to work - either TLS is required no matter
which URI I use, or clients can connect without TLS at all.

According to the docs, if I set olcLocalSSF to 128, and olcSecurity to
ssf=128, it should work, but it's not. I can only connect without TLS if
I delete the olcSecurity attribute, which allows anyone to connect
without TLS.

Has anyone else seen this behaviour?
Philip Guenther
2014-08-26 18:16:24 UTC
Permalink
Post by Tom
I'm running OpenLDAP 2.4 on CentOS. I'm trying to set it up so clients
can use the ldapi:/// socket without TLS, but any clients using ldap://
must use TLS.
I believe that the relevant olc variables are olcLocalSSF and
olcSecurity. I can't get it to work - either TLS is required no matter
which URI I use, or clients can connect without TLS at all.
According to the docs, if I set olcLocalSSF to 128, and olcSecurity to
ssf=128, it should work, but it's not. I can only connect without TLS if I
delete the olcSecurity attribute, which allows anyone to connect
without TLS.
Has anyone else seen this behaviour?
A 60 second test on an old dev box I had lying around with 2.4.35 using
slapd.conf with
security ssf=128
localSSF 128

found it works Just Fine there: searches with
-H ldapi://
or
-H ldap:// -ZZ
or
-H ldaps://

work, while searches with
-H ldap://

fail with:
ldap_bind: Confidentiality required (13)
additional info: confidentiality required

So, maybe use 'config' logging to verify your bits are being processed
correctly and if so, provide _complete_ information with a dump of your
cn=config (passwords stripped), the logging, and your test cases
w/results.


Philip Guenther

Loading...