[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How enforce TLS connection to openldap server only?



Am 20.09.2012 17:01, schrieb Yan Gong:
Josh:

Thanks for the info!

Did some more test. Does this mean the olcSecurity setting for TLS works
now?

If I try to connect to the ldap server without TLS and unencrypted
connection, I got the following error:

root@ldap02:/etc/ldap# ldapsearch -x -D "cn=admin,dc=example,dc=com" -W
Enter LDAP Password:
ldap_bind: Confidentiality required (13)
         additional info: TLS confidentiality required

Following this thread, it seems to me that this is exactly what you wanted.

Cheers,

Peter



If I use the CA certificate and TLS connection, I can successfully connect
with LDAP server:

root@ldap02:/etc/ldap# ldapsearch -Z -D "cn=admin,dc=example,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree # filter:
(objectclass=*) # requesting: ALL #

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: Example
description:: TERBUCBFeGFtcGxlIA==

# admin, example.com
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: c2VjcmV0

# people, example.com
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

# groups, example.com
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

# john, people, example.com
dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword:: cGFzc3dvcmQ=
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: JD

# example, groups, example.com
dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000

# search result
search: 3
result: 0 Success

# numResponses: 7
# numEntries: 6
root@ldap02:/etc/ldap#

Thanks a lot!

Yan



-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Yan Gong
Sent: Thursday, September 20, 2012 8:06 AM
To: 'Howard Chu'; 'Quanah Gibson-Mount'
Cc: openldap-technical@openldap.org
Subject: RE: How enforce TLS connection to openldap server only?

Nope, olcSecurity didn't help. Still have the problem. I restared slapd.
Please see below:

dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=1
olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128
dn="cn=admin,dc=example,dc=com" write b  y tls_ssf=128 ssf=128 anonymous
auth by tls_ssf=128 ssf=128 self write by
* none
olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write
by tls_ssf=128 ssf=128 * read
olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read
olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com"
write by tls_ssf=128 ssf=128 * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: c2VjcmV0
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uidNumber eq
olcDbIndex: uid eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20120919180734Z
entryCSN: 20120919181117.233986Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20120919181117Z

Thanks a lot!

Yan


-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Thursday, September 20, 2012 7:50 AM
To: Quanah Gibson-Mount
Cc: Yan Gong; openldap-technical@openldap.org
Subject: Re: How enforce TLS connection to openldap server only?

Quanah Gibson-Mount wrote:
Should I use olcAccess or olcSecurity? or both? I couldn't find any
detailed steps/documentation
olcSecurity would enforce encryption for any and all connections.
Note that you have to restart slapd for it to take effect.
Eh, no. olcSecurity changes take effect immediately. No restart needed.

--
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Thanks a lot!

Yan Gong
System Administrator
770-792-8590 ext. 1248



-----Original Message-----
From: Josh Miller [mailto:joshua@itsecureadmin.com]
Sent: Thursday, September 20, 2012 10:58 AM
To: Yan Gong
Cc: openldap-technical@openldap.org
Subject: Re: How enforce TLS connection to openldap server only?

On Sep 20, 2012, at 5:05 AM, Yan Gong wrote:

Nope, olcSecurity didn't help. Still have the problem. I restared slapd.
Please see below:

dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=1

I believe you're looking for:

olcSecurity: minssf=128

HTH,
Josh





--
_______________________________________________________________________

Peter Gietz (CEO)
DAASI International GmbH                   phone: +49 7071 407109-0
Europaplatz 3                              Fax:   +49 7071 407109-9
D-72072 Tübingen                           mail:  peter.gietz@daasi.de
Germany                                    Web:   www.daasi.de

DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
_______________________________________________________________________