[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap+TLS 'works', but slapd.log reports "err=13 text=TLS confidentiality required" @ slapd start

To: bwailea+10@gmail.com
Subject: Re: openldap+TLS 'works', but slapd.log reports "err=13 text=TLS confidentiality required" @ slapd start
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Fri, 22 Aug 2008 13:50:52 -0600
Cc: openldap-software@openldap.org
In-reply-to: <382b79dc0808221121md383f95k6fde7c3a53ff9743@mail.gmail.com>
References: <382b79dc0808221121md383f95k6fde7c3a53ff9743@mail.gmail.com>
User-agent: Alpine 1.10 (BSO 962 2008-03-14)

On Fri, 22 Aug 2008, Ben Wailea, openldap-software wrote:
...
> ldapadd & ldapsearch seem to work over TLS as well,
>
>   ldapadd -ZZ -x -D "cn=admin,dc=domain,dc=com" -f
> /etc/openldap/admin.ldif -w 'secret'
...
> with slapd.log showing,
> 
> 	Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 ACCEPT from
> IP=192.168.1.17:34861 (IP=192.168.1.17:389)
> 	Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 EXT oid=1.3.6.1.4.1.1466.20037
> 	Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 STARTTLS
> 	Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 RESULT oid= err=0 text=
> 	Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 TLS established
> tls_ssf=256 ssf=256
...

Note the EXT/STARTTLS/TLS log messages there, showing that the client 
(ldapadd) actually used the STARTTLS operation.

...
> but, on slapd service (re)start, i see in slapd.log,
> 
> 	Aug 22 11:02:47 ldap slapd[31441]: slapd starting
> 	Aug 22 11:02:48 ldap slapd[31441]: conn=0 fd=12 ACCEPT from
> IP=192.168.1.17:42320 (IP=192.168.1.17:389)
> 	Aug 22 11:02:48 ldap slapd[31441]: conn=0 op=0 BIND dn="" method=128

Note the *lack* of those EXT/STARTTLS/TLS messages.  The client that made 
that connection didn't use the StartTls operation, so it wasn't using an 
encrypted connection so...

> 	Aug 22 11:02:48 ldap slapd[31441]: conn=0 op=0 RESULT tag=97 err=13
> text=TLS confidentiality required

...the bind was in the clear, which your slapd configuration rejects.

> what are these multiple connection "text=TLS confidentiality required"
> errors due to?

Those are clients that don't use StartTLS when your server config requires 
it.

> i'm guessing it has to do with security restrictions set in slapd.conf.
> 
> reading @  http://www.openldap.org/doc/admin24/security.html, i've,

Hmm, I don't see these options on that web page.

> 	...
> 	security ssf=256 tls=256 update_tls=256 simple_bind=256

That seems like an unusual and/or redundant set of requirements.  If I'm 
reading things correctly, that line should have the exact same behavior as 
this one:
 	security tls=256

I.e., refuse to do _anything_ unless TLS is negotiated with an SSF of at 
least 256 (i.e., 256 bit encryption cipher).  Is that *really* the 
requirement you mean to enforce?

> 	disallow tls_2_anon

Hmm, why do you set that option?  Do you know why the default isn't to do 
that?

> 	require  bind LDAPv3

I get the sense that you want to lock this server down by banning anything 
you aren't sure about.

> are these settings correct, and/or are they resposible for those
> slapd.log messages? something else?

"Correct" depends on what you're trying to acheive.

Yes, they're responsible: you told the server "require TLS!" so it's 
refusing the clients that don't use TLS.  I'm surprised it's a question.

Philip Guenther

Follow-Ups:
- Re: openldap+TLS 'works', but slapd.log reports "err=13 text=TLS confidentiality required" @ slapd start
  - From: "Ben Wailea, openldap-software" <bwailea+10@gmail.com>

References:
- openldap+TLS 'works', but slapd.log reports "err=13 text=TLS confidentiality required" @ slapd start
  - From: "Ben Wailea, openldap-software" <bwailea+10@gmail.com>

Prev by Date: Re: Error during ./configure
Next by Date: Re: Error during ./configure
Index(es):
- Chronological
- Thread