[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Understanding TLS SSF



"Patrick Patterson" <ppatters@gmail.com> writes:

> Hello
>
> On Wed, Jul 30, 2008 at 9:59 AM, J Davis <mrsalty0@gmail.com> wrote:
>
>     Greetings,
>    
>     I'm testing an installation of openldap 2.4.9. I want to enforce TLS for
>     all access to the directory.
>     My problem is that I cannot get the client to meet the ssf restictions I
>     have in place. The documentation I've seen on ssf and tls_ssf is very
>     sparse so I don't really understand what it does.
>    
>     I'm using self signed cert created using the openssl CA.sh script.
>    
>     Relevant portions of the slapd.conf...
>    
>         TLSCACertificateFile /etc/ldap/ssl/cacert.pem
>         TLSCertificateFile /etc/ldap/ssl/servercrt.pem
>         TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem
>         ...
>         access to *
>             by tls_ssf=128 ssf=128 anonymous auth
>             by tls_ssf=128 ssf=128 self write
>    
>     Relevant portions of the lapd.conf...
>    
>         TLS_CACERT /etc/ldap/ssl/cacert.pem
>    
>     With those ACLs in place I get the following error:
>    
>         $ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b
>     "uid=jake,ou=people,dc=example,dc=com"
>         ldap_bind: Invalid credentials (49)
>
> You may want to try adding -q as one of the options to your ldapsearch. It
> appears that the tls_ssf turns on STARTTLS, instead of LDAP over SSL and in
> order to use that, you need to tell the client to use starttls as well, which
> is what (if I read the man page correctly), -q does.

Where did you read this?

from man ldapsearch(5) 
-Z[Z]  Issue StartTLS (Transport Layer Security) extended operation. If
       you  use  -ZZ, the command will require the operation to be suc-
       cessful.


-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6