[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapi:/// without TLS; ldap:// with TLS?
On Tue, 26 Aug 2014, Tom wrote:
> I'm running OpenLDAP 2.4 on CentOS. I'm trying to set it up so clients
> can use the ldapi:/// socket without TLS, but any clients using ldap://
> must use TLS.
>
> I believe that the relevant olc variables are olcLocalSSF and
> olcSecurity. I can't get it to work - either TLS is required no matter
> which URI I use, or clients can connect without TLS at all.
>
> According to the docs, if I set olcLocalSSF to 128, and olcSecurity to
> ssf=128, it should work, but it's not. I can only connect without TLS if I
> delete the olcSecurity attribute, which allows anyone to connect
> without TLS.
>
> Has anyone else seen this behaviour?
A 60 second test on an old dev box I had lying around with 2.4.35 using
slapd.conf with
security ssf=128
localSSF 128
found it works Just Fine there: searches with
-H ldapi://
or
-H ldap:// -ZZ
or
-H ldaps://
work, while searches with
-H ldap://
fail with:
ldap_bind: Confidentiality required (13)
additional info: confidentiality required
So, maybe use 'config' logging to verify your bits are being processed
correctly and if so, provide _complete_ information with a dump of your
cn=config (passwords stripped), the logging, and your test cases
w/results.
Philip Guenther