[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: How enforce TLS connection to openldap server only?
Josh:
Thanks for the info!
Did some more test. Does this mean the olcSecurity setting for TLS works
now?
If I try to connect to the ldap server without TLS and unencrypted
connection, I got the following error:
root@ldap02:/etc/ldap# ldapsearch -x -D "cn=admin,dc=example,dc=com" -W
Enter LDAP Password:
ldap_bind: Confidentiality required (13)
additional info: TLS confidentiality required
If I use the CA certificate and TLS connection, I can successfully connect
with LDAP server:
root@ldap02:/etc/ldap# ldapsearch -Z -D "cn=admin,dc=example,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree # filter:
(objectclass=*) # requesting: ALL #
# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: Example
description:: TERBUCBFeGFtcGxlIA==
# admin, example.com
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: c2VjcmV0
# people, example.com
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
# groups, example.com
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
# john, people, example.com
dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword:: cGFzc3dvcmQ=
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: JD
# example, groups, example.com
dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000
# search result
search: 3
result: 0 Success
# numResponses: 7
# numEntries: 6
root@ldap02:/etc/ldap#
Thanks a lot!
Yan
-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Yan Gong
Sent: Thursday, September 20, 2012 8:06 AM
To: 'Howard Chu'; 'Quanah Gibson-Mount'
Cc: openldap-technical@openldap.org
Subject: RE: How enforce TLS connection to openldap server only?
Nope, olcSecurity didn't help. Still have the problem. I restared slapd.
Please see below:
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=1
olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128
dn="cn=admin,dc=example,dc=com" write b y tls_ssf=128 ssf=128 anonymous
auth by tls_ssf=128 ssf=128 self write by
* none
olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write
by tls_ssf=128 ssf=128 * read
olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read
olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com"
write by tls_ssf=128 ssf=128 * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: c2VjcmV0
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uidNumber eq
olcDbIndex: uid eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20120919180734Z
entryCSN: 20120919181117.233986Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20120919181117Z
Thanks a lot!
Yan
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Thursday, September 20, 2012 7:50 AM
To: Quanah Gibson-Mount
Cc: Yan Gong; openldap-technical@openldap.org
Subject: Re: How enforce TLS connection to openldap server only?
Quanah Gibson-Mount wrote:
>> Should I use olcAccess or olcSecurity? or both? I couldn't find any
>> detailed steps/documentation
>
> olcSecurity would enforce encryption for any and all connections.
> Note that you have to restart slapd for it to take effect.
Eh, no. olcSecurity changes take effect immediately. No restart needed.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Thanks a lot!
Yan Gong
System Administrator
770-792-8590 ext. 1248
-----Original Message-----
From: Josh Miller [mailto:joshua@itsecureadmin.com]
Sent: Thursday, September 20, 2012 10:58 AM
To: Yan Gong
Cc: openldap-technical@openldap.org
Subject: Re: How enforce TLS connection to openldap server only?
On Sep 20, 2012, at 5:05 AM, Yan Gong wrote:
> Nope, olcSecurity didn't help. Still have the problem. I restared slapd.
> Please see below:
>
> dn: olcDatabase={1}hdb
> objectClass: olcDatabaseConfig
> objectClass: olcHdbConfig
> olcDatabase: {1}hdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=example,dc=com
> olcSecurity: simple_bind=128
> olcSecurity: ssf=128
> olcSecurity: tls=1
I believe you're looking for:
olcSecurity: minssf=128
HTH,
Josh