[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Understanding TLS SSF



That was it.
I'm using 2.4.11 now compiled against openssl and it's working.

Thanks!
-Jake

On Wed, Jul 30, 2008 at 7:36 PM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:
I doubt that's the SSL that OpenLDAP is compiled against.  It looks to me like it is compiled against GnuTLS, and likely affected by ITS#5585, which was fixed in OpenLDAP 2.4.11.  If that's correct, then the real TLS value is 256.  Have you actually run ldd on slapd to see what libraries it is linked against for SSL?

--Quanah


--On Wednesday, July 30, 2008 1:16 PM -0400 J Davis <mrsalty0@gmail.com> wrote:


Openssl 0.9.8g-4ubuntu3.3

Thanks,
-Jake


On Wed, Jul 30, 2008 at 12:02 PM, Buchan Milne
<bgmilne@staff.telkomsa.net> wrote:




On Wednesday 30 July 2008 15:59:52 J Davis wrote:
Greetings,

I'm testing an installation of openldap 2.4.9. I want to enforce TLS for
all access to the directory.
My problem is that I cannot get the client to meet the ssf restictions I
have in place. The documentation I've seen on ssf and tls_ssf is very
sparse so I don't really understand what it does.

I'm using self signed cert created using the openssl CA.sh script.

Relevant portions of the slapd.conf...

   TLSCACertificateFile /etc/ldap/ssl/cacert.pem
   TLSCertificateFile /etc/ldap/ssl/servercrt.pem
   TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem
   ...
   access to *
       by tls_ssf=128 ssf=128 anonymous auth
       by tls_ssf=128 ssf=128 self write

Relevant portions of the lapd.conf...

   TLS_CACERT /etc/ldap/ssl/cacert.pem

With those ACLs in place I get the following error:

   $ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b
"uid=jake,ou=people,dc=example,dc=com"
   ldap_bind: Invalid credentials (49)

And slapd in debug mode shows me that I didn't meet the ssf
requirments...

   connection_read(15): unable to get TLS client DN, error=49 id=0
   conn=0 fd=15 TLS established tls_ssf=32 ssf=32
   ...
   <= check a_authz.sai_tls_ssf: ACL 128 > OP 32

What ssl implementation is your slapd using ?






--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration