[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How enforce TLS connection to openldap server only?

To: "'Howard Chu'" <hyc@symas.com>, "'Quanah Gibson-Mount'" <quanah@zimbra.com>
Subject: RE: How enforce TLS connection to openldap server only?
From: "Yan Gong" <yan@fabric.com>
Date: Thu, 20 Sep 2012 08:05:33 -0400 (EDT)
Cc: openldap-technical@openldap.org
Content-language: en-us
In-reply-to: <505B02D5.4030408@symas.com>
References: <887751294.85506.1348102719358.JavaMail.root@mail> <383A9CE9C33ACB45D368DA62@[192.168.1.43]> <505B02D5.4030408@symas.com>
Thread-index: AQJekUgZgBEiwIGfi0kY8y9yorAG4QGs9aqDAXWJ7mOWWBpfUA==

Nope, olcSecurity didn't help. Still have the problem. I restared slapd.
Please see below:

dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=1
olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128
dn="cn=admin,dc=example,dc=com" write b
 y tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write by
* none
olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write
by tls_ssf=128 ssf=128 * read
olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read
olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com"
write by tls_ssf=128 ssf=128 * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: c2VjcmV0
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uidNumber eq
olcDbIndex: uid eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20120919180734Z
entryCSN: 20120919181117.233986Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20120919181117Z

Thanks a lot!

Yan 


-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Thursday, September 20, 2012 7:50 AM
To: Quanah Gibson-Mount
Cc: Yan Gong; openldap-technical@openldap.org
Subject: Re: How enforce TLS connection to openldap server only?

Quanah Gibson-Mount wrote:
>> Should I use olcAccess or olcSecurity? or both? I couldn't find any 
>> detailed steps/documentation
> 
> olcSecurity would enforce encryption for any and all connections.  
> Note that you have to restart slapd for it to take effect.

Eh, no. olcSecurity changes take effect immediately. No restart needed.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: How enforce TLS connection to openldap server only?
  - From: Josh Miller <joshua@itsecureadmin.com>

References:
- How enforce TLS connection to openldap server only?
  - From: Yan Gong <yan@fabric.com>
- Re: How enforce TLS connection to openldap server only?
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: LDAP URI
Next by Date: Re: How enforce TLS connection to openldap server only?
Index(es):
- Chronological
- Thread