[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap+TLS 'works', but slapd.log reports "err=13 text=TLS confidentiality required" @ slapd start

On Fri, Aug 22, 2008 at 12:50 PM, Philip Guenther
<guenther+ldapsoft@sendmail.com> wrote:
> Note the *lack* of those EXT/STARTTLS/TLS messages.  The client that made
> that connection didn't use the StartTls operation, so it wasn't using an
> encrypted connection so...

yes.  when i launch the "ldap* -ZZ" from cmd line, it starts TLS as expected.

"all" that's done to generate the above errors is:

    service ldap restart

which, iiuc, simply launches slapd.  so, per your comment,
*specifically* which 'client' is failing to use the StartTLS?

>        security tls=256
> I.e., refuse to do _anything_ unless TLS is negotiated with an SSF of at
> least 256 (i.e., 256 bit encryption cipher).  Is that *really* the
> requirement you mean to enforce?

the goal is to always/only use TLS with an AES-256 encryption cipher.
the hope is that that 'security' directive accomplishges that.

>>       disallow tls_2_anon
> Hmm, why do you set that option?  Do you know why the default isn't to do
> that?

the goal is to not allow any anonymous connetion/bind/etc.

to the extent that 'man slapd.conf' shares

 tls_2_anon disables
 Start TLS from forcing session to anonymous status (see
 also tls_authc).  tls_authc disables StartTLS if
 authenticated (see also tls_2_anon).

that seems to be the right choice.  afaict, there's no additional
documentation on the matter.

and, that description smacks of "read other side" being written on
both sides of a postcard ...

> Yes, they're responsible: you told the server "require TLS!" so it's
> refusing the clients that don't use TLS.  I'm surprised it's a question.

YA tired old sarcastic comment. and you were doing so well ...

reading some of your other posts ... knowing so much more than
everyone else, you really must get exhausted from being so surprised
that people have questions of any kind -- given how everything's so