[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS, integrity and root DSE

To: <openldap-technical@openldap.org>
Subject: TLS, integrity and root DSE
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Wed, 24 Jul 2013 16:08:21 +0200
Content-disposition: inline

Hi!

When trying to require integrity for LDAP connections by specifying "ssf=1" in Security, I have a problem with Perl where the cat bites its tail:

It's recommended to query the root DSE for TLS extension before trying to use TLS like this:

my $dse = $ldap->root_dse();

if ($dse->supported_extension(LDAP_EXTENSION_START_TLS)) {
        my $msg = $ldap->start_tls('verify' => 'require',
                                   'capath' => '/etc/ssl/certs');
...

Unfortunately the root_dse() fails with the security restriction: "confidentiality required"

Note: The manual says: "0  (zero)  implies  no  protection,  1  implies integrity  protection only"

So is "confidentiality" actually "integrity" here, and are here any solutions to this problem?

Regards,
Ulrich Windl

Follow-Ups:
- Re: TLS, integrity and root DSE
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: root cannot change user password with command "passwd", sssd, pam, openldap
Next by Date: Re: TLS, integrity and root DSE
Index(es):
- Chronological
- Thread