[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapi:/// without TLS; ldap:// with TLS?

On Tue, 26 Aug 2014, Tom wrote:
> I'm running OpenLDAP 2.4 on CentOS. I'm trying to set it up so clients
> can use the ldapi:/// socket without TLS, but any clients using ldap://
> must use TLS.
> I believe that the relevant olc variables are olcLocalSSF and
> olcSecurity. I can't get it to work - either TLS is required no matter
> which URI I use, or clients can connect without TLS at all.
> According to the docs, if I set olcLocalSSF to 128, and olcSecurity to
> ssf=128, it should work, but it's not. I can only connect without TLS if I
> delete the olcSecurity attribute, which allows anyone to connect
> without TLS.
> Has anyone else seen this behaviour?

A 60 second test on an old dev box I had lying around with 2.4.35 using 
slapd.conf with
	security ssf=128
	localSSF 128

found it works Just Fine there: searches with
   -H ldapi://
   -H ldap:// -ZZ
   -H ldaps://

work, while searches with
   -H ldap://

fail with:
	ldap_bind: Confidentiality required (13)
	        additional info: confidentiality required

So, maybe use 'config' logging to verify your bits are being processed 
correctly and if so, provide _complete_ information with a dump of your 
cn=config (passwords stripped), the logging, and your test cases 

Philip Guenther