[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
openldap+TLS 'works', but slapd.log reports "err=13 text=TLS confidentiality required" @ slapd start
- To: openldap-software@openldap.org
- Subject: openldap+TLS 'works', but slapd.log reports "err=13 text=TLS confidentiality required" @ slapd start
- From: "Ben Wailea, openldap-software" <bwailea+10@gmail.com>
- Date: Fri, 22 Aug 2008 11:21:55 -0700
- Content-disposition: inline
i've set up openldap for use with TLS.
it launches ok,
ps ax | grep slapd
27182 pts/1 S<+ 0:00 tail -f slapd.log
31441 ? S<sl 0:00 /usr/lib/openldap/slapd -h
ldap://ldap.domain.com:389 -f /etc/openldap/slapd.conf -u ldap -g
ldap -4 -o slp=on
ldapadd & ldapsearch seem to work over TLS as well,
ldapadd -ZZ -x -D "cn=admin,dc=domain,dc=com" -f
/etc/openldap/admin.ldif -w 'secret'
adding new entry "dc=domain,dc=com"
adding new entry "cn=admin,dc=domain,dc=com"
ldapsearch -v -ZZ -x -D 'cn=admin,dc=domain,dc=com' -b
'dc=domain,dc=com' '(objectclass=*)' -w 'secret'
ldap_initialize( <DEFAULT> )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# domain.com
dn: dc=domain,dc=com
objectClass: dcObject
objectClass: organization
o: DOMAIN
dc: domain
# admin, domain.com
dn: cn=admin,dc=domain,dc=com
objectClass: organizationalRole
cn: admin
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2
with slapd.log showing,
Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 ACCEPT from
IP=192.168.1.17:34861 (IP=192.168.1.17:389)
Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 STARTTLS
Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 RESULT oid= err=0 text=
Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 TLS established
tls_ssf=256 ssf=256
Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=1 BIND
dn="cn=admin,dc=domain,dc=com" method=128
Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=1 BIND
dn="cn=admin,dc=domain,dc=com" mech=SIMPLE ssf=0
Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=1 RESULT tag=97 err=0 text=
Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=2 SRCH
base="dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=2 SEARCH RESULT tag=101
err=0 nentries=2 text=
Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=3 UNBIND
Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 closed
but, on slapd service (re)start, i see in slapd.log,
Aug 22 11:02:47 ldap slapd[31441]: slapd starting
Aug 22 11:02:48 ldap slapd[31441]: conn=0 fd=12 ACCEPT from
IP=192.168.1.17:42320 (IP=192.168.1.17:389)
Aug 22 11:02:48 ldap slapd[31441]: conn=0 op=0 BIND dn="" method=128
Aug 22 11:02:48 ldap slapd[31441]: conn=0 op=0 RESULT tag=97 err=13
text=TLS confidentiality required
Aug 22 11:02:48 ldap slapd[31441]: conn=0 fd=12 closed (connection lost)
Aug 22 11:02:49 ldap slapd[31441]: conn=1 fd=12 ACCEPT from
IP=192.168.1.17:42321 (IP=192.168.1.17:389)
Aug 22 11:02:49 ldap slapd[31441]: conn=1 op=0 BIND dn="" method=128
Aug 22 11:02:49 ldap slapd[31441]: conn=1 op=0 RESULT tag=97 err=13
text=TLS confidentiality required
Aug 22 11:02:49 ldap slapd[31441]: conn=1 fd=12 closed (connection lost)
Aug 22 11:02:50 ldap slapd[31441]: conn=2 fd=12 ACCEPT from
IP=192.168.1.17:42322 (IP=192.168.1.17:389)
Aug 22 11:02:50 ldap slapd[31441]: conn=2 op=0 BIND dn="" method=128
Aug 22 11:02:50 ldap slapd[31441]: conn=2 op=0 RESULT tag=97 err=13
text=TLS confidentiality required
Aug 22 11:02:50 ldap slapd[31441]: conn=2 fd=12 closed (connection lost)
Aug 22 11:02:51 ldap slapd[31441]: conn=3 fd=12 ACCEPT from
IP=192.168.1.17:42323 (IP=192.168.1.17:389)
Aug 22 11:02:51 ldap slapd[31441]: conn=3 op=0 BIND dn="" method=128
Aug 22 11:02:51 ldap slapd[31441]: conn=3 op=0 RESULT tag=97 err=13
text=TLS confidentiality required
Aug 22 11:02:51 ldap slapd[31441]: conn=3 fd=12 closed (connection lost)
Aug 22 11:02:52 ldap slapd[31441]: conn=4 fd=12 ACCEPT from
IP=192.168.1.17:42324 (IP=192.168.1.17:389)
Aug 22 11:02:52 ldap slapd[31441]: conn=4 op=0 BIND dn="" method=128
Aug 22 11:02:52 ldap slapd[31441]: conn=4 op=0 RESULT tag=97 err=13
text=TLS confidentiality required
Aug 22 11:02:52 ldap slapd[31441]: conn=4 fd=12 closed (connection lost)
Aug 22 11:02:53 ldap slapd[31441]: conn=5 fd=12 ACCEPT from
IP=192.168.1.17:42325 (IP=192.168.1.17:389)
Aug 22 11:02:53 ldap slapd[31441]: conn=5 op=0 BIND dn="" method=128
Aug 22 11:02:53 ldap slapd[31441]: conn=5 op=0 RESULT tag=97 err=13
text=TLS confidentiality required
Aug 22 11:02:53 ldap slapd[31441]: conn=5 fd=12 closed (connection lost)
Aug 22 11:02:54 ldap slapd[31441]: conn=6 fd=12 ACCEPT from
IP=192.168.1.17:42326 (IP=192.168.1.17:389)
Aug 22 11:02:54 ldap slapd[31441]: conn=6 op=0 BIND dn="" method=128
Aug 22 11:02:54 ldap slapd[31441]: conn=6 op=0 RESULT tag=97 err=13
text=TLS confidentiality required
Aug 22 11:02:54 ldap slapd[31441]: conn=6 fd=12 closed (connection lost)
Aug 22 11:02:55 ldap slapd[31441]: conn=7 fd=12 ACCEPT from
IP=192.168.1.17:42327 (IP=192.168.1.17:389)
Aug 22 11:02:55 ldap slapd[31441]: conn=7 op=0 BIND dn="" method=128
Aug 22 11:02:55 ldap slapd[31441]: conn=7 op=0 RESULT tag=97 err=13
text=TLS confidentiality required
Aug 22 11:02:55 ldap slapd[31441]: conn=7 fd=12 closed (connection lost)
Aug 22 11:02:56 ldap slapd[31441]: conn=8 fd=12 ACCEPT from
IP=192.168.1.17:42328 (IP=192.168.1.17:389)
Aug 22 11:02:56 ldap slapd[31441]: conn=8 op=0 BIND dn="" method=128
Aug 22 11:02:56 ldap slapd[31441]: conn=8 op=0 RESULT tag=97 err=13
text=TLS confidentiality required
Aug 22 11:02:56 ldap slapd[31441]: conn=8 fd=12 closed (connection lost)
what are these multiple connection "text=TLS confidentiality required"
errors due to?
i'm guessing it has to do with security restrictions set in slapd.conf.
reading @ http://www.openldap.org/doc/admin24/security.html, i've,
...
security ssf=256 tls=256 update_tls=256 simple_bind=256
disallow tls_2_anon
require bind LDAPv3
...
are these settings correct, and/or are they resposible for those
slapd.log messages? something else?