Re: ldapi without TLS and ldap with TLS?

[Philip Guenther <guenther+ldaptech@sendmail.com>]

On Mon, 18 Feb 2013, Patrick Lists wrote:
> I'm tying achieve the following with OpenLDAP RE24 from last week:
> 
> Connections on ldapi:/// are plain text and ldap connections require TLS 
> with client cert auth.

Perhaps it would be help if you started by answering, at least for 
yourself, what problem you're trying to solve.  For example, "prevent 
passwords from being sent on physical networks in the clear or under a 
symmetric cipher of fewer than 256bits"

(I use that example because it's a plausible match for what you 
describe...and it's impossible to achieve.)

Until you describe *why* you're doing something, you can't know whether 
you're actually acheiving it.


> I thought I could do that with:
...
> olcLocalSSF: 0  <---

So, you've told slapd that ldapi:// connections are to be treated as 
completely insecure, like ldap:// conections without TLS.  That doesn't 
seem to match your intention.


> olcSecurity: tls=256  <---

To quote slapd-config(5):
       olcSecurity: <factors>
              Specify a set of security strength factors (separated by white
              space) to require (see olcSaslSecprops's minssf option for a
              description of security strength factors).  The directive may be
              specified globally and/or per-database.
...
              tls=<n> specifies the TLS security strength factor.

So, this tells slapd to require *ALL* connections, regardless of how they 
connect, to use SSL/TLS with an SSF of at least 256.  That clearly doesn't 
match your intention.

My guess, not knowing your actual _purpose_, would be you want to require 
a minssf of some 256, and give local (ldapi://) connetions that same SSF.

Of course, that doesn't stop a client from connecting and sending a BIND 
request in cleartext.  It won't succeed, but it'll still go out in 
cleartext.


Philip Guenther