[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: olcTLSVerifyClient: demand not taking effect

To: Peter Wood <peterwood.sd@gmail.com>
Subject: Re: olcTLSVerifyClient: demand not taking effect
From: Philip Guenther <guenther+ldaptech@sendmail.com>
Date: Tue, 13 Mar 2012 11:46:57 -0700
Authentication-results: fife.sendmail.com; dkim=pass (1024-bit key) header.i=@sendmail.com header.b=KYxTLfs9; dkim-adsp=pass
Cc: Quanah Gibson-Mount <quanah@zimbra.com>, OpenLDAP Tech <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1331664420; bh=Vb5yS1ar82QYjHs10QsriSQYCpk4njeae0ElfxCez/0=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=KYxTLfs9GjIXHUmq1+Q77W4nJX6AqedE7Ym8YskeAXGNvSJ+EKzlT8GJZB0s/JsXE kXOhfGIeSHreHeRVp/rxNvzn8ggcxttlI6iMXUKsZfydD6why5Ys2nHf6utcp/rqqi kw4icsE/81UyIdqaTLoLHN0SLoIdLYhIz+UDl0PA=
In-reply-to: <CAEGK5+m=02yhiGEX+gs2-ENjtaSL5A+Z=4RYbfAJGJ9EG77gEQ@mail.gmail.com>
References: <CAEGK5+=yHii3XWJ9p-zw8VVxWb5mDNrkxzHr435B1K_-wdAgrA@mail.gmail.com> <B3C198583C8721CEAE7DC20F@192.168.1.22> <CAEGK5+m=02yhiGEX+gs2-ENjtaSL5A+Z=4RYbfAJGJ9EG77gEQ@mail.gmail.com>
User-agent: Alpine 2.00 (BSO 1167 2008-08-23)

On Tue, 13 Mar 2012, Peter Wood wrote:
> Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with
> the same result.

       olcTLSVerifyClient: <level>
              Specifies what checks to perform on client certificates in an
              incoming TLS session, if any.  <...>

Note the "if any" part.  That config option says, "If the client 
negotiates TLS, whether because it's connecting via an ldaps connection or 
used the StartTLS operation on an ldap connection, then this is the 
requirements regarding client certificates."

If the client connects via ldap (or ldapi) and doesn't use the StartTLS 
operation, then the olcTLSVerifyClient setting HAS NO EFFECT.


If you want the server to reject authentication requests that don't use 
TLS, then you need to look at the olcSecurity setting.  To quote the 
manpage:

       olcSecurity: <factors>
              Specify a set of security strength factors (separated by white
              space) to require (see olcSaslSecprops's minssf option for a
              description of security strength factors).  The directive may be
              specified globally and/or per-database.  ssf=<n> specifies the
              overall security strength factor.  transport=<n> specifies the
              transport security strength factor.  tls=<n> specifies the TLS
              security strength factor.  sasl=<n> specifies the SASL security
              strength factor.  update_ssf=<n> specifies the overall security
              strength factor to require for directory updates.
              update_transport=<n> specifies the transport security strength
              factor to require for directory updates.  update_tls=<n>
              specifies the TLS security strength factor to require for
              directory updates.  update_sasl=<n> specifies the SASL security
              strength factor to require for directory updates.
              simple_bind=<n> specifies the security strength factor required
              for simple username/password authentication.  Note that the
              transport factor is measure of security provided by the
              underlying transport, e.g. ldapi:// (and eventually IPSEC).  It
              is not normally used.



Philip Guenther

References:
- olcTLSVerifyClient: demand not taking effect
  - From: Peter Wood <peterwood.sd@gmail.com>
- Re: olcTLSVerifyClient: demand not taking effect
  - From: Peter Wood <peterwood.sd@gmail.com>

Prev by Date: Re: olcTLSVerifyClient: demand not taking effect
Next by Date: RE: OPENLDAP SYNCREPL
Index(es):
- Chronological
- Thread