Peter: Thanks for the confirmation! I only used olcSecurity, not olcAccess to enforce the TLS connection. Man, I wish there is more detailed, updated and user-friendly information about OpenLdap on the web. I guess, that's why people are turning to Active Directory because it is much easier to use.
Yan -----Original Message----- From: Peter Gietz [mailto:peter.gi...@daasi.de] Sent: Thursday, September 20, 2012 11:47 AM To: Yan Gong Cc: 'Josh Miller'; openldap-technical@openldap.org Subject: Re: How enforce TLS connection to openldap server only? Am 20.09.2012 17:01, schrieb Yan Gong: > Josh: > > Thanks for the info! > > Did some more test. Does this mean the olcSecurity setting for TLS > works now? > > If I try to connect to the ldap server without TLS and unencrypted > connection, I got the following error: > > root@ldap02:/etc/ldap# ldapsearch -x -D "cn=admin,dc=example,dc=com" > -W Enter LDAP Password: > ldap_bind: Confidentiality required (13) > additional info: TLS confidentiality required Following this thread, it seems to me that this is exactly what you wanted. Cheers, Peter > > If I use the CA certificate and TLS connection, I can successfully > connect with LDAP server: > > root@ldap02:/etc/ldap# ldapsearch -Z -D "cn=admin,dc=example,dc=com" > -W Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=example,dc=com> (default) with scope subtree # filter: > (objectclass=*) # requesting: ALL # > > # example.com > dn: dc=example,dc=com > objectClass: top > objectClass: dcObject > objectClass: organization > o: Example Organization > dc: Example > description:: TERBUCBFeGFtcGxlIA== > > # admin, example.com > dn: cn=admin,dc=example,dc=com > objectClass: simpleSecurityObject > objectClass: organizationalRole > cn: admin > description: LDAP administrator > userPassword:: c2VjcmV0 > > # people, example.com > dn: ou=people,dc=example,dc=com > objectClass: organizationalUnit > ou: people > > # groups, example.com > dn: ou=groups,dc=example,dc=com > objectClass: organizationalUnit > ou: groups > > # john, people, example.com > dn: uid=john,ou=people,dc=example,dc=com > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: shadowAccount > uid: john > sn: Doe > givenName: John > cn: John Doe > displayName: John Doe > uidNumber: 1000 > gidNumber: 10000 > userPassword:: cGFzc3dvcmQ= > gecos: John Doe > loginShell: /bin/bash > homeDirectory: /home/john > shadowExpire: -1 > shadowFlag: 0 > shadowWarning: 7 > shadowMin: 8 > shadowMax: 999999 > shadowLastChange: 10877 > mail: john....@example.com > postalCode: 31000 > l: Toulouse > o: Example > mobile: +33 (0)6 xx xx xx xx > homePhone: +33 (0)5 xx xx xx xx > title: System Administrator > postalAddress: > initials: JD > > # example, groups, example.com > dn: cn=example,ou=groups,dc=example,dc=com > objectClass: posixGroup > cn: example > gidNumber: 10000 > > # search result > search: 3 > result: 0 Success > > # numResponses: 7 > # numEntries: 6 > root@ldap02:/etc/ldap# > > Thanks a lot! > > Yan > > > > -----Original Message----- > From: openldap-technical-boun...@openldap.org > [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Yan Gong > Sent: Thursday, September 20, 2012 8:06 AM > To: 'Howard Chu'; 'Quanah Gibson-Mount' > Cc: openldap-technical@openldap.org > Subject: RE: How enforce TLS connection to openldap server only? > > Nope, olcSecurity didn't help. Still have the problem. I restared slapd. > Please see below: > > dn: olcDatabase={1}hdb > objectClass: olcDatabaseConfig > objectClass: olcHdbConfig > olcDatabase: {1}hdb > olcDbDirectory: /var/lib/ldap > olcSuffix: dc=example,dc=com > olcSecurity: simple_bind=128 > olcSecurity: ssf=128 > olcSecurity: tls=1 > olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128 > dn="cn=admin,dc=example,dc=com" write b y tls_ssf=128 ssf=128 > anonymous auth by tls_ssf=128 ssf=128 self write by > * none > olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self > write by tls_ssf=128 ssf=128 * read > olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read > olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" > write by tls_ssf=128 ssf=128 * read > olcLastMod: TRUE > olcRootDN: cn=admin,dc=example,dc=com > olcRootPW:: c2VjcmV0 > olcDbCheckpoint: 512 30 > olcDbConfig: {0}set_cachesize 0 2097152 0 > olcDbConfig: {1}set_lk_max_objects 1500 > olcDbConfig: {2}set_lk_max_locks 1500 > olcDbConfig: {3}set_lk_max_lockers 1500 > olcDbIndex: objectClass eq > olcDbIndex: uidNumber eq > olcDbIndex: uid eq,pres,sub > structuralObjectClass: olcHdbConfig > entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c > creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > createTimestamp: 20120919180734Z > entryCSN: 20120919181117.233986Z#000000#000#000000 > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > modifyTimestamp: 20120919181117Z > > Thanks a lot! > > Yan > > > -----Original Message----- > From: Howard Chu [mailto:h...@symas.com] > Sent: Thursday, September 20, 2012 7:50 AM > To: Quanah Gibson-Mount > Cc: Yan Gong; openldap-technical@openldap.org > Subject: Re: How enforce TLS connection to openldap server only? > > Quanah Gibson-Mount wrote: >>> Should I use olcAccess or olcSecurity? or both? I couldn't find any >>> detailed steps/documentation >> olcSecurity would enforce encryption for any and all connections. >> Note that you have to restart slapd for it to take effect. > Eh, no. olcSecurity changes take effect immediately. No restart needed. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > Thanks a lot! > > Yan Gong > System Administrator > 770-792-8590 ext. 1248 > > > > -----Original Message----- > From: Josh Miller [mailto:jos...@itsecureadmin.com] > Sent: Thursday, September 20, 2012 10:58 AM > To: Yan Gong > Cc: openldap-technical@openldap.org > Subject: Re: How enforce TLS connection to openldap server only? > > On Sep 20, 2012, at 5:05 AM, Yan Gong wrote: > >> Nope, olcSecurity didn't help. Still have the problem. I restared slapd. >> Please see below: >> >> dn: olcDatabase={1}hdb >> objectClass: olcDatabaseConfig >> objectClass: olcHdbConfig >> olcDatabase: {1}hdb >> olcDbDirectory: /var/lib/ldap >> olcSuffix: dc=example,dc=com >> olcSecurity: simple_bind=128 >> olcSecurity: ssf=128 >> olcSecurity: tls=1 > > I believe you're looking for: > > olcSecurity: minssf=128 > > HTH, > Josh > > > -- _______________________________________________________________________ Peter Gietz (CEO) DAASI International GmbH phone: +49 7071 407109-0 Europaplatz 3 Fax: +49 7071 407109-9 D-72072 Tübingen mail: peter.gi...@daasi.de Germany Web: www.daasi.de DAASI International GmbH, Tübingen Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175 _______________________________________________________________________