[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS - verifying and requiring its use

Fran Fabrizio writes:
> 1. What slapd debug level would tell me whether or not TLS is being used
> for a particular connection?  I am trying to figure out whether a
> particular client application is using TLS.

Since OpenLDAP 2.3.6, loglevel 256 has logged TLS operations.

With OpenLDAP 2.2, loglevel 256 shows the connection's port number.  So
you can tell when clients connect to the ldaps:// port (default 636),
but it does not log StartTLS over the ldap:// port (default 389).
Loglevel 1 (trace function calls) shows some TLS activity.  So does
level 2 (packet logging), but if you log all LDAP data sent over the net
the log will include passwords.

> 2. What are the right slapd.conf settings to -require- clients to use
> TLS?  I was not able to figure this out from looking at the slapd.conf
> man page.  I am currently using openldap 2.2.23.  I know it is a
> little old and I plan to upgrade soon, but for now, this is my target
> version for getting required TLS working.

security tls=128 ssf=128

Possibly 128 should be something else, depends on what strength you wish
to require.  And I'm not sure if the ssf is necessary when you have tls
anyway, but it doesn't hurt.  See the sasl-secprops keyword in 'man
slapd.conf' for a description of security strength factors.

If you want finer control, see the 'allow' and 'disallow' keywords.

You can also use security strengths in access controls.  However that
rejects e.g. Bind with Invalid credentials instead of Confidentiality
Required, so a user who tried to Bind without TLS may think he mistyped
his password and send it unencrypted over the network again.