Forcing TLS, but keep working SASL authentication

[Wiebe Cazemier <wiebe@halfgaar.net>]

Hi, 

I want to force SSL on my OpenLDAP server (2.4.21-0ubuntu5.7, Ubuntu 10.04 LTS), but then the SASL authentication breaks.

I did this to enable tls-only:


# feed to ldapmodify
dn: cn=config
changetype:  modify
add: olcSecurity
olcSecurity: tls=1


But, then I can't use "-Y EXTERNAL" anymore, because it then demands a TLS connection. When I enable TLS (-ZZ) on tools like ldapmodify and use ldap://hostname/ and bind with my rootDN (admin user), it doesn't work (insufficient access (50)). I guess it needs the socket to know I'm root.

Inspecting all DB's with "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config", it appears the config DB's have an olcAccess rule like:


olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break


gid and uid = 0, so I guess it's the system's root account.

I tried adding an olcRootDN and olcRootPW to olcDatabase={0}config,cn=config so that I could modify the cn=config, but adding them gave an error: "<olcRootPW> can only be set when rootdn is under suffix". When I tried adding olcSuffix to "dc=domain,dc=tld", it said: "<olcSuffix> handler exited with 1". I also tried specifying a olcRootDN only (no olcRootPW) (like cn=admin,dc=domain,dc=tld) and then add that user to "dc=domain,dc=tld", but it didn't work. Unfortunately, I don't remember what went wrong.

So, is there a way to enforce TLS but still use the SASL authentication? 

Any help is appreciated.

Thanks in advance,

Wiebe Cazemier