I'm using slapd under Debian/Squeeze and trying to configure the system to only allow TLS-encrypted connections using STARTTLS on port 389.
So I've configured my /etc/default/slapd to listen on port 389:
SLAPD_SERVICES="ldap://:389/"
I generated a certificate and enabled TLS by adding the following entries to /etc/ldap/slap.d/cn=config.ldif
olcTLSCertificateFile: /etc/ssl/openldap/ca-cert.pem
olcTLSCertificateKeyFile: /etc/ssl/openldap/ca-key.pem
And finally I added an /etc/ldap/slapd.conf with the following content:
security tls=256
With that configuration I'm able to run TLS-encrypted connections using:
ldapsearch -ZZ -H ldap://127.0.0.1:389 -D "cn=admin,dc=example,dc=net" -w "password"
But beside that unencrypted connections are still working using:
ldapsearch -H ldap://127.0.0.1:389 -D "cn=admin,dc=example,dc=net" -w "password"
From my point of view it seems that the security directive in /etc/ldap/slapd.conf isn't used at all. Also when I try to convert the slapd.conf to the cn=config configuration format, I can clearly see, that the security directive isn't included in the resulting cn=config configuration files.
Does somebody know what's going on there and how to change the configuration to forbid unencrypted connections?
Best Answer
You have declared that all tls connections must have a strength of 256.
You have not declared anything about other types of connections.
Perhaps you wanted
security minssf=256
?man slapd.conf
sectionssasl-secprops
andsecurity
for more information.