[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Understanding TLS SSF



On Wednesday 30 July 2008 15:59:52 J Davis wrote:
> Greetings,
>
> I'm testing an installation of openldap 2.4.9. I want to enforce TLS for
> all access to the directory.
> My problem is that I cannot get the client to meet the ssf restictions I
> have in place. The documentation I've seen on ssf and tls_ssf is very
> sparse so I don't really understand what it does.
>
> I'm using self signed cert created using the openssl CA.sh script.
>
> Relevant portions of the slapd.conf...
>
>     TLSCACertificateFile /etc/ldap/ssl/cacert.pem
>     TLSCertificateFile /etc/ldap/ssl/servercrt.pem
>     TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem
>     ...
>     access to *
>         by tls_ssf=128 ssf=128 anonymous auth
>         by tls_ssf=128 ssf=128 self write
>
> Relevant portions of the lapd.conf...
>
>     TLS_CACERT /etc/ldap/ssl/cacert.pem
>
> With those ACLs in place I get the following error:
>
>     $ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b
> "uid=jake,ou=people,dc=example,dc=com"
>     ldap_bind: Invalid credentials (49)
>
> And slapd in debug mode shows me that I didn't meet the ssf requirments...
>
>     connection_read(15): unable to get TLS client DN, error=49 id=0
>     conn=0 fd=15 TLS established tls_ssf=32 ssf=32
>     ...
>     <= check a_authz.sai_tls_ssf: ACL 128 > OP 32

What ssl implementation is your slapd using ?