Re: Forcing TLS encryption

[Dieter KlÃnter <dieter@dkluenter.de>]

Am Mon, 24 Dec 2012 10:14:39 +0100 (CET)
schrieb Wiebe Cazemier <wiebe@halfgaar.net>:

> ----- Original Message -----
> > From: "Chuck Lever" <chuck.lever@oracle.com>
> > To: "Wiebe Cazemier" <wiebe@halfgaar.net>
> > Cc: openldap-technical@openldap.org
> > Sent: Friday, 21 December, 2012 4:39:21 PM
> > Subject: Re: Forcing TLS encryption
> >
> > ...
> >  
> > I added an olcSecurity attribute to the database directives for the
> > parts of the server's DIT where I wish to require TLS.  To start
> > with I set the value "tls=1".
> > 
> > See also:
> > 
> >   http://itsecureadmin.com/tag/openldap/
> > 
> > --
> > Chuck Lever
> > chuck[dot]lever[at]oracle[dot]com
> > 
> 
> I got it to work (connection won't be allowed without TLS), but I can
> still capture the password with tcpdump. To elaborate:
> 
> I successfully set tls=1 with:
> 
> 
> dn: cn=config
> changetype:  modify
> add: olcSecurity
> olcSecurity: tls=1
> 
> 
> When I do an ldapsearch now, it says TLS is required:
> 
> 
> $ ldapsearch ldapsearch -Hldap://myhost:389
> -D"uid=user,ou=people,dc=domain,dc=com" -W Enter LDAP Password:
> ldap_bind: Confidentiality required (13)
>         additional info: TLS confidentiality required


In order to initiate Transport Layer Security you have to call the
extended operation ldapSTARTTLS.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E