[Date Prev][Date Next]
Re: openldap+TLS 'works', but slapd.log reports "err=13 text=TLS confidentiality required" @ slapd start
On Fri, 22 Aug 2008, Ben Wailea, openldap-software wrote:
> ldapadd & ldapsearch seem to work over TLS as well,
> ldapadd -ZZ -x -D "cn=admin,dc=domain,dc=com" -f
> /etc/openldap/admin.ldif -w 'secret'
> with slapd.log showing,
> Aug 22 11:17:07 ldap slapd: conn=12 fd=12 ACCEPT from
> IP=192.168.1.17:34861 (IP=192.168.1.17:389)
> Aug 22 11:17:07 ldap slapd: conn=12 op=0 EXT oid=188.8.131.52.4.1.1466.20037
> Aug 22 11:17:07 ldap slapd: conn=12 op=0 STARTTLS
> Aug 22 11:17:07 ldap slapd: conn=12 op=0 RESULT oid= err=0 text=
> Aug 22 11:17:07 ldap slapd: conn=12 fd=12 TLS established
> tls_ssf=256 ssf=256
Note the EXT/STARTTLS/TLS log messages there, showing that the client
(ldapadd) actually used the STARTTLS operation.
> but, on slapd service (re)start, i see in slapd.log,
> Aug 22 11:02:47 ldap slapd: slapd starting
> Aug 22 11:02:48 ldap slapd: conn=0 fd=12 ACCEPT from
> IP=192.168.1.17:42320 (IP=192.168.1.17:389)
> Aug 22 11:02:48 ldap slapd: conn=0 op=0 BIND dn="" method=128
Note the *lack* of those EXT/STARTTLS/TLS messages. The client that made
that connection didn't use the StartTls operation, so it wasn't using an
encrypted connection so...
> Aug 22 11:02:48 ldap slapd: conn=0 op=0 RESULT tag=97 err=13
> text=TLS confidentiality required
...the bind was in the clear, which your slapd configuration rejects.
> what are these multiple connection "text=TLS confidentiality required"
> errors due to?
Those are clients that don't use StartTLS when your server config requires
> i'm guessing it has to do with security restrictions set in slapd.conf.
> reading @ http://www.openldap.org/doc/admin24/security.html, i've,
Hmm, I don't see these options on that web page.
> security ssf=256 tls=256 update_tls=256 simple_bind=256
That seems like an unusual and/or redundant set of requirements. If I'm
reading things correctly, that line should have the exact same behavior as
I.e., refuse to do _anything_ unless TLS is negotiated with an SSF of at
least 256 (i.e., 256 bit encryption cipher). Is that *really* the
requirement you mean to enforce?
> disallow tls_2_anon
Hmm, why do you set that option? Do you know why the default isn't to do
> require bind LDAPv3
I get the sense that you want to lock this server down by banning anything
you aren't sure about.
> are these settings correct, and/or are they resposible for those
> slapd.log messages? something else?
"Correct" depends on what you're trying to acheive.
Yes, they're responsible: you told the server "require TLS!" so it's
refusing the clients that don't use TLS. I'm surprised it's a question.