[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How enforce TLS connection to openldap server only?



On Sep 20, 2012, at 8:01 AM, Yan Gong wrote:

> Josh:
> 
> Thanks for the info!
> 
> Did some more test. Does this mean the olcSecurity setting for TLS works
> now?
> 

Yes, this will require the use of encryption.

The OL docs recommend a minssf of 256 (and that is what I use):

"0 (zero) implies no protection, 1 implies integrity protection only, 56 DES or other weak ciphers, 112 triple DES and other strong ciphers, 128 RC4, Blowfish and other modern strong ciphers.

Other possibilities:

    transport_ssf=<n>
    tls_ssf=<n>
    sasl_ssf=<n>

256 is recommended."

re:  http://www.openldap.org/doc/admin24/access-control.html#Granting%20and%20Denying%20access%20based%20on%20security%20strength%20factors%20


Thanks,
Josh



> If I try to connect to the ldap server without TLS and unencrypted
> connection, I got the following error:
> 
> root@ldap02:/etc/ldap# ldapsearch -x -D "cn=admin,dc=example,dc=com" -W
> Enter LDAP Password:
> ldap_bind: Confidentiality required (13)
>        additional info: TLS confidentiality required
> 
> If I use the CA certificate and TLS connection, I can successfully connect
> with LDAP server:
> 
> root@ldap02:/etc/ldap# ldapsearch -Z -D "cn=admin,dc=example,dc=com" -W
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> (default) with scope subtree # filter:
> (objectclass=*) # requesting: ALL #
> 
> # example.com
> dn: dc=example,dc=com
> objectClass: top
> objectClass: dcObject
> objectClass: organization
> o: Example Organization
> dc: Example
> description:: TERBUCBFeGFtcGxlIA==
> 
> # admin, example.com
> dn: cn=admin,dc=example,dc=com
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: admin
> description: LDAP administrator
> userPassword:: c2VjcmV0
> 
> # people, example.com
> dn: ou=people,dc=example,dc=com
> objectClass: organizationalUnit
> ou: people
> 
> # groups, example.com
> dn: ou=groups,dc=example,dc=com
> objectClass: organizationalUnit
> ou: groups
> 
> # john, people, example.com
> dn: uid=john,ou=people,dc=example,dc=com
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: john
> sn: Doe
> givenName: John
> cn: John Doe
> displayName: John Doe
> uidNumber: 1000
> gidNumber: 10000
> userPassword:: cGFzc3dvcmQ=
> gecos: John Doe
> loginShell: /bin/bash
> homeDirectory: /home/john
> shadowExpire: -1
> shadowFlag: 0
> shadowWarning: 7
> shadowMin: 8
> shadowMax: 999999
> shadowLastChange: 10877
> mail: john.doe@example.com
> postalCode: 31000
> l: Toulouse
> o: Example
> mobile: +33 (0)6 xx xx xx xx
> homePhone: +33 (0)5 xx xx xx xx
> title: System Administrator
> postalAddress:
> initials: JD
> 
> # example, groups, example.com
> dn: cn=example,ou=groups,dc=example,dc=com
> objectClass: posixGroup
> cn: example
> gidNumber: 10000
> 
> # search result
> search: 3
> result: 0 Success
> 
> # numResponses: 7
> # numEntries: 6
> root@ldap02:/etc/ldap#
> 
> Thanks a lot!
> 
> Yan 
> 
> 
> 
> -----Original Message-----
> From: openldap-technical-bounces@OpenLDAP.org
> [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Yan Gong
> Sent: Thursday, September 20, 2012 8:06 AM
> To: 'Howard Chu'; 'Quanah Gibson-Mount'
> Cc: openldap-technical@openldap.org
> Subject: RE: How enforce TLS connection to openldap server only?
> 
> Nope, olcSecurity didn't help. Still have the problem. I restared slapd.
> Please see below:
> 
> dn: olcDatabase={1}hdb
> objectClass: olcDatabaseConfig
> objectClass: olcHdbConfig
> olcDatabase: {1}hdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=example,dc=com
> olcSecurity: simple_bind=128
> olcSecurity: ssf=128
> olcSecurity: tls=1
> olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128
> dn="cn=admin,dc=example,dc=com" write b  y tls_ssf=128 ssf=128 anonymous
> auth by tls_ssf=128 ssf=128 self write by
> * none
> olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write
> by tls_ssf=128 ssf=128 * read
> olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read
> olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com"
> write by tls_ssf=128 ssf=128 * read
> olcLastMod: TRUE
> olcRootDN: cn=admin,dc=example,dc=com
> olcRootPW:: c2VjcmV0
> olcDbCheckpoint: 512 30
> olcDbConfig: {0}set_cachesize 0 2097152 0
> olcDbConfig: {1}set_lk_max_objects 1500
> olcDbConfig: {2}set_lk_max_locks 1500
> olcDbConfig: {3}set_lk_max_lockers 1500
> olcDbIndex: objectClass eq
> olcDbIndex: uidNumber eq
> olcDbIndex: uid eq,pres,sub
> structuralObjectClass: olcHdbConfig
> entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20120919180734Z
> entryCSN: 20120919181117.233986Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20120919181117Z
> 
> Thanks a lot!
> 
> Yan 
> 
> 
> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com]
> Sent: Thursday, September 20, 2012 7:50 AM
> To: Quanah Gibson-Mount
> Cc: Yan Gong; openldap-technical@openldap.org
> Subject: Re: How enforce TLS connection to openldap server only?
> 
> Quanah Gibson-Mount wrote:
>>> Should I use olcAccess or olcSecurity? or both? I couldn't find any 
>>> detailed steps/documentation
>> 
>> olcSecurity would enforce encryption for any and all connections.  
>> Note that you have to restart slapd for it to take effect.
> 
> Eh, no. olcSecurity changes take effect immediately. No restart needed.
> 
> --
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/
> 
> 
> Thanks a lot!
> 
> Yan Gong
> System Administrator
> 770-792-8590 ext. 1248
> 
> 
> 
> -----Original Message-----
> From: Josh Miller [mailto:joshua@itsecureadmin.com] 
> Sent: Thursday, September 20, 2012 10:58 AM
> To: Yan Gong
> Cc: openldap-technical@openldap.org
> Subject: Re: How enforce TLS connection to openldap server only?
> 
> On Sep 20, 2012, at 5:05 AM, Yan Gong wrote:
> 
>> Nope, olcSecurity didn't help. Still have the problem. I restared slapd.
>> Please see below:
>> 
>> dn: olcDatabase={1}hdb
>> objectClass: olcDatabaseConfig
>> objectClass: olcHdbConfig
>> olcDatabase: {1}hdb
>> olcDbDirectory: /var/lib/ldap
>> olcSuffix: dc=example,dc=com
>> olcSecurity: simple_bind=128
>> olcSecurity: ssf=128
>> olcSecurity: tls=1
> 
> 
> I believe you're looking for:
> 
> olcSecurity: minssf=128
> 
> HTH,
> Josh
> 
> 
>