Greetings,
I'm testing an installation of openldap
2.4.9. I want to enforce TLS for all access to the directory.
My problem is that I cannot get the client to meet the ssf restictions I have in place. The documentation I've seen on ssf and tls_ssf is very sparse so I don't really understand what it does.
I'm using self signed cert created using the openssl CA.sh script.
Relevant portions of the slapd.conf...
TLSCACertificateFile /etc/ldap/ssl/cacert.pem
TLSCertificateFile /etc/ldap/ssl/servercrt.pem
TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem
...
access to *
by tls_ssf=128 ssf=128 anonymous auth
by tls_ssf=128 ssf=128 self write
Relevant portions of the lapd.conf...
TLS_CACERT /etc/ldap/ssl/cacert.pem
With those ACLs in place I get the following error:
$ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b "uid=jake,ou=people,dc=example,dc=com"
ldap_bind: Invalid credentials (49)
And slapd in debug mode shows me that I didn't meet the ssf requirments...
connection_read(15): unable to get TLS client DN, error=49 id=0
conn=0 fd=15 TLS established tls_ssf=32 ssf=32
...
<= check a_authz.sai_tls_ssf: ACL 128 > OP 32
I'm not really sure where to go from here. Any advice about how to increase the SSF of my connection would be greatly appreciated.
Thanks,
-Jake